Auditing of Policy Change: Authentication Policy Change events on failure should be enabled or disabled as appropriate. Audit Authentication Policy Change, which determines whether the operating system generates audit events when changes are made to authentication policy. Changes made to authentication policy include: * Creation, modification, and removal of forest and domain trusts. * Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. When any of the following user rights is granted to a user or group: * Access this computer from the network * Allow logon locally * Allow logon through Remote Desktop * Logon as a batch job * Logon as a service * Namespace collision, such as when an added trust collides with an existing namespace name. Fix: (1) GPO: Commandline: auditpol.exe (2) REG: NO INFO