This security policy setting determines whether the operating system generates audit events when the following changes are made to the authorization policy:

• Assigning or removing of user rights (privileges) such as SeCreateTokenPrivilege, except for the system access rights that are audited by using the Audit Authentication Policy Change subcategory. 
  
• Changing the Encrypting File System (EFS) policy. 
  

Event volume: Low
If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

• 4704: A user right was assigned.
  
• 4705: A user right was removed.
  
• 4706: A new trust was created to a domain.
  
• 4707: A trust to a domain was removed.
  
• 4714: Encrypted data recovery policy was changed.