| File name: | auditpolmsg.dll.mui |
| Size: | 36352 byte |
| MD5: | a8dce3c7392ec1ccf355fb6e7b89372d |
| SHA1: | d2cb6f5e9f384bc099e1eeab378be358a781e5d7 |
| SHA256: | cc95ec60613c596bffd1fdc93f37751f42218b3bf5684a7a0463aa882a3dbe9c |
| Operating systems: | Windows 10 |
| Extension: | MUI |
If an error occurred or the following message in Chinese (Traditional) language and you cannot find a solution, than check answer in English. Table below helps to know how correctly this phrase sounds in English.
| id | Chinese (Traditional) | English |
|---|---|---|
| 1 | 成功 | Success |
| 2 | 失敗 | Failure |
| 3 | 成功與失敗 | Success and Failure |
| 4 | 沒有稽核 | No Auditing |
| 5 | 尚未設定 | Not Configured |
| 99 | 稽核原則 | Audit Policies |
| 100 | 系統稽核原則 | System Audit Policies |
| 101 | 帳戶管理 | Account Management |
| 102 | 稽核使用者帳戶管理 | Audit User Account Management |
| 103 | 稽核電腦帳戶管理 | Audit Computer Account Management |
| 104 | 稽核安全性群組管理 | Audit Security Group Management |
| 105 | 稽核發佈群組管理 | Audit Distribution Group Management |
| 106 | 稽核應用程式群組管理 | Audit Application Group Management |
| 107 | 稽核其他帳戶管理事件 | Audit Other Account Management Events |
| 121 | 登入/登出 | Logon/Logoff |
| 122 | 稽核登入 | Audit Logon |
| 123 | 稽核登出 | Audit Logoff |
| 124 | 稽核帳戶鎖定 | Audit Account Lockout |
| 125 | 稽核 IPsec 主要模式 | Audit IPsec Main Mode |
| 126 | 稽核 IPsec 快速模式 | Audit IPsec Quick Mode |
| 127 | 稽核 IPsec 延伸模式 | Audit IPsec Extended Mode |
| 128 | 稽核特殊登入 | Audit Special Logon |
| 129 | 稽核其他登入/登出事件 | Audit Other Logon/Logoff Events |
| 130 | 稽核網路原則伺服器 | Audit Network Policy Server |
| 131 | 稽核使用者/裝置宣告 | Audit User / Device Claims |
| 132 | 稽核群組成員資格 | Audit Group Membership |
| 151 | 原則變更 | Policy Change |
| 152 | 稽核「稽核原則變更」 | Audit Audit Policy Change |
| 153 | 稽核驗證原則變更 | Audit Authentication Policy Change |
| 154 | 稽核授權原則變更 | Audit Authorization Policy Change |
| 155 | 稽核 MPSSVC 規則層級原則變更 | Audit MPSSVC Rule-Level Policy Change |
| 156 | 稽核篩選平台原則變更 | Audit Filtering Platform Policy Change |
| 157 | 稽核其他原則變更事件 | Audit Other Policy Change Events |
| 181 | 特殊權限使用 | Privilege Use |
| 182 | 稽核機密特殊權限使用 | Audit Sensitive Privilege Use |
| 183 | 稽核非機密特殊權限使用 | Audit Non Sensitive Privilege Use |
| 184 | 稽核其他特殊權限使用事件 | Audit Other Privilege Use Events |
| 201 | 詳細追蹤 | Detailed Tracking |
| 202 | 稽核建立處理程序 | Audit Process Creation |
| 203 | 稽核終止處理程序 | Audit Process Termination |
| 204 | 稽核 DPAPI 活動 | Audit DPAPI Activity |
| 205 | 稽核 RPC 事件 | Audit RPC Events |
| 206 | 稽核 PNP 活動 | Audit PNP Activity |
| 207 | 稽核權杖權限調整 | Audit Token Right Adjusted |
| 231 | 系統 | System |
| 232 | 稽核安全性狀態變更 | Audit Security State Change |
| 233 | 稽核安全性系統延伸 | Audit Security System Extension |
| 234 | 稽核系統完整性 | Audit System Integrity |
| 235 | 稽核 IPsec 驅動程式 | Audit IPsec Driver |
| 236 | 稽核其他系統事件 | Audit Other System Events |
| 261 | 物件存取 | Object Access |
| 262 | 稽核檔案系統 | Audit File System |
| 263 | 稽核登錄 | Audit Registry |
| 264 | 稽核核心物件 | Audit Kernel Object |
| 265 | 稽核 SAM | Audit SAM |
| 266 | 稽核憑證服務 | Audit Certification Services |
| 267 | 稽核產生的應用程式 | Audit Application Generated |
| 268 | 稽核控制代碼操作 | Audit Handle Manipulation |
| 269 | 稽核檔案共用 | Audit File Share |
| 270 | 稽核篩選平台封包丟棄 | Audit Filtering Platform Packet Drop |
| 271 | 稽核篩選平台連線 | Audit Filtering Platform Connection |
| 272 | 稽核其他物件存取事件 | Audit Other Object Access Events |
| 273 | 稽核詳細的檔案共用 | Audit Detailed File Share |
| 274 | 稽核抽取式存放裝置 | Audit Removable Storage |
| 275 | 稽核集中存取原則執行 | Audit Central Access Policy Staging |
| 291 | DS 存取 | DS Access |
| 292 | 稽核目錄服務存取 | Audit Directory Service Access |
| 293 | 稽核目錄服務變更 | Audit Directory Service Changes |
| 294 | 稽核目錄服務複寫 | Audit Directory Service Replication |
| 295 | 稽核詳細目錄服務複寫 | Audit Detailed Directory Service Replication |
| 321 | 帳戶登入 | Account Logon |
| 322 | 稽核認證驗證 | Audit Credential Validation |
| 323 | 稽核 Kerberos 服務票證操作 | Audit Kerberos Service Ticket Operations |
| 324 | 稽核其他帳戶登入事件 | Audit Other Account Logon Events |
| 325 | 稽核 Kerberos 驗證服務 | Audit Kerberos Authentication Service |
| 400 | 進階稽核原則設定 | Advanced Audit Policy Configuration |
| 500 | 進階稽核設定 | Advanced Audit Configuration |
| 501 | Microsoft Corporation | Microsoft Corporation |
| 502 | 設定 Windows 的細微稽核原則。 | Configure granular audit policies for Windows. |
| 503 | 1.0 | 1.0 |
| 602 | 使用者帳戶管理
這個原則設定可讓您稽核使用者帳戶的變更。包含下列事件: 建立、變更、刪除、重新命名、停用、啟用、鎖定或解除鎖定使用者帳戶。 設定或變更使用者帳戶的密碼。 將安全性識別碼 (SID) 新增到使用者帳戶的 SID 歷程記錄。 設定目錄服務還原模式密碼。 變更管理使用者帳戶的權限。 備份或還原認證管理員認證。 如果您設定這個原則設定,則會在嘗試變更使用者帳戶時產生稽核事件。成功稽核會記錄成功嘗試,而失敗稽核則會記錄失敗嘗試。如果您未設定這個原則設定,則不會在使用者帳戶變更時產生稽核事件。 數量: 低。 預設值: 成功。 |
User Account Management
This policy setting allows you to audit changes to user accounts. Events include the following: A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked. A user account’s password is set or changed. A security identifier (SID) is added to the SID History of a user account. The Directory Services Restore Mode password is configured. Permissions on administrative user accounts are changed. Credential Manager credentials are backed up or restored. If you configure this policy setting, an audit event is generated when an attempt to change a user account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a user account changes. Volume: Low. Default: Success. |
| 603 | 電腦帳戶管理
這個原則設定可讓您稽核因電腦帳戶變更 (如建立、變更或刪除電腦帳戶時) 而產生的事件。 如果您設定這個原則設定,則會在嘗試變更電腦帳戶時產生稽核事件。成功稽核會記錄成功嘗試,而失敗稽核則會記錄失敗嘗試。 如果您未設定這個原則設定,則不會在電腦帳戶變更時產生稽核事件。 數量: 低。 用戶端版本的預設值: 沒有稽核。 伺服器版本的預設值: 成功。 |
Computer Account Management
This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. If you configure this policy setting, an audit event is generated when an attempt to change a computer account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a computer account changes. Volume: Low. Default on Client editions: No Auditing. Default on Server editions: Success. |
| 604 | 安全性群組管理
這個原則設定可讓您稽核因安全性群組變更而產生的事件,例如: 建立、變更或刪除安全性群組。 在安全性群組中新增或移除成員。 變更群組類型。 如果您設定這個原則設定,則會在嘗試變更安全性群組時產生稽核事件。成功稽核會記錄成功嘗試,而失敗稽核則會記錄失敗嘗試。 如果您未設定這個原則設定,則不會在安全性群組變更時產生稽核事件。 數量: 低。 預設值: 成功。 |
Security Group Management
This policy setting allows you to audit events generated by changes to security groups such as the following: Security group is created, changed, or deleted. Member is added or removed from a security group. Group type is changed. If you configure this policy setting, an audit event is generated when an attempt to change a security group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a security group changes. Volume: Low. Default: Success. |
| 605 | 發佈群組管理
這個原則設定可讓您稽核因發佈群組變更而產生的事件,例如: 建立、變更或刪除發佈群組。 在發佈群組中新增或移除成員。 變更發佈群組類型。 如果您設定這個原則設定,則會在嘗試變更發佈群組時產生稽核事件。成功稽核會記錄成功嘗試,而失敗稽核則會記錄失敗嘗試。 如果您未設定這個原則設定,則不會在發佈群組變更時產生稽核事件。 注意: 這個子類別中的事件只會記錄在網域控制站上。 數量: 低。 預設值: 沒有稽核。 |
Distribution Group Management
This policy setting allows you to audit events generated by changes to distribution groups such as the following: Distribution group is created, changed, or deleted. Member is added or removed from a distribution group. Distribution group type is changed. If you configure this policy setting, an audit event is generated when an attempt to change a distribution group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a distribution group changes. Note: Events in this subcategory are logged only on domain controllers. Volume: Low. Default: No Auditing. |
| 606 | 應用程式群組管理
這個原則設定可讓您稽核因應用程式群組變更而產生的事件,例如: 建立、變更或刪除應用程式群組。 在應用程式群組中新增或移除成員。 如果您設定這個原則設定,則會在嘗試變更應用程式群組時產生稽核事件。成功稽核會記錄成功嘗試,而失敗稽核則會記錄失敗嘗試。 如果您未設定這個原則設定,則不會在應用程式群組變更時產生稽核事件。 數量: 低。 預設值: 沒有稽核。 |
Application Group Management
This policy setting allows you to audit events generated by changes to application groups such as the following: Application group is created, changed, or deleted. Member is added or removed from an application group. If you configure this policy setting, an audit event is generated when an attempt to change an application group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an application group changes. Volume: Low. Default: No Auditing. |
| 607 | 其他帳戶管理事件
這個原則設定可讓您稽核因這個類別未涵蓋的其他使用者帳戶變更而產生的事件,例如: 已存取使用者帳戶的密碼雜湊。這一般是在 Active Directory 管理工具密碼移轉期間發生。 已呼叫密碼原則檢查 API。在惡意應用程式測試原則以減少密碼字典攻擊期間的嘗試次數時,呼叫這個功能會是一種攻擊。 下列群組原則路徑下的預設網域群組原則變更: 電腦設定\Windows 設定\安全性設定\帳戶原則\密碼原則 電腦設定\Windows 設定\安全性設定\帳戶原則\帳戶鎖定原則 注意: 套用原則設定時,會記錄安全性稽核事件。而修改設定時,則不會發生該事件。 數量: 低。 預設值: 沒有稽核。 |
Other Account Management Events
This policy setting allows you to audit events generated by other user account changes that are not covered in this category, such as the following: The password hash of a user account was accessed. This typically happens during an Active Directory Management Tool password migration. The Password Policy Checking API was called. Calls to this function can be part of an attack when a malicious application tests the policy to reduce the number of attempts during a password dictionary attack. Changes to the Default Domain Group Policy under the following Group Policy paths: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy Note: The security audit event is logged when the policy setting is applied. It does not occur at the time when the settings are modified. Volume: Low. Default: No Auditing. |
| 622 | 稽核登入
這個原則設定可讓您稽核因電腦上的使用者帳戶登入嘗試而產生的事件。 這個子類別中的事件是與建立登入工作階段有關,而且發生在被存取的電腦上。如果是互動式登入,則會在使用者帳戶登入的電腦上產生安全性稽核事件。如果是網路登入 (如存取網路上的共用資料夾),則會在裝載資源的電腦上產生安全性稽核事件。包含下列事件: 成功登入嘗試。 失敗登入嘗試。 使用明確認證的登入嘗試。處理程序嘗試明確指定該帳戶的認證來登入帳戶時,會產生這個事件。這最常發生於批次登入設定 (如排定的工作或使用 RUNAS 命令時)。 已篩選安全性識別碼 (SID) 且不允許其登入 數量: 用戶端電腦上是「低」。網域控制站或網路伺服器上是「中」。 用戶端版本的預設值: 成功。 伺服器版本的預設值: 成功,失敗。 |
Audit Logon
This policy setting allows you to audit events generated by user account logon attempts on the computer. Events in this subcategory are related to the creation of logon sessions and occur on the computer which was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. The following events are included: Successful logon attempts. Failed logon attempts. Logon attempts using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch logon configurations, such as scheduled tasks or when using the RUNAS command. Security identifiers (SIDs) were filtered and not allowed to log on. Volume: Low on a client computer. Medium on a domain controller or a network server Default on Client editions: Success. Default on Server editions: Success, Failure. |
| 623 | 登出
這個原則設定可讓您稽核因關閉登入工作階段而產生的事件。這些事件發生於被存取的電腦上。如果是互動式登出,則會在使用者帳戶登入的電腦上產生安全性稽核事件。 如果您設定這個原則設定,則會在關閉登入工作階段時產生稽核事件。成功稽核會記錄成功關閉工作階段嘗試,而失敗稽核則會記錄失敗關閉工作階段嘗試。 如果您未設定這個原則設定,則不會在關閉登入工作階段時產生稽核事件。 數量: 低。 預設值: 成功。 |
Logoff
This policy setting allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. If you configure this policy setting, an audit event is generated when a logon session is closed. Success audits record successful attempts to close sessions and Failure audits record unsuccessful attempts to close sessions. If you do not configure this policy setting, no audit event is generated when a logon session is closed. Volume: Low. Default: Success. |
| 624 | 帳戶鎖定
此原則設定可以讓您稽核因嘗試登入的帳戶被鎖定而失敗所產生的事件。 若您設定此原則設定,則會在帳戶因鎖定而無法登入電腦時產生稽核事件。成功稽核會記錄成功的嘗試,而失敗稽核則會記錄不成功的嘗試。 登入事件對於了解使用者活動以及偵測潛在的攻擊是十分重要的。 磁碟區: 低。 預設值: 成功。 |
Account Lockout
This policy setting allows you to audit events generated by a failed attempt to log on to an account that is locked out. If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and Failure audits record unsuccessful attempts. Logon events are essential for understanding user activity and to detect potential attacks. Volume: Low. Default: Success. |
| 625 | IPsec 主要模式
這個原則設定可讓您稽核網際網路金鑰交換通訊協定 (IKE) 及已驗證網際網路通訊協定 (AuthIP) 在主要模式交涉期間產生的事件。 如果您設定這個原則設定,則會在 IPsec 主要模式交涉期間產生稽核事件。成功稽核會記錄成功嘗試,而失敗稽核則會記錄失敗嘗試。 如果您未設定這個原則設定,則不會在 IPsec 主要模式交涉期間產生稽核事件。 數量: 高。 預設值: 沒有稽核。 |
IPsec Main Mode
This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Main Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated during an IPsec Main Mode negotiation. Volume: High. Default: No Auditing. |
| 626 | IPsec 快速模式
這個原則設定可讓您稽核網際網路金鑰交換通訊協定 (IKE) 及已驗證網際網路通訊協定 (AuthIP) 在快速模式交涉期間產生的事件。 如果您設定這個原則設定,則會在 IPsec 快速模式交涉期間產生稽核事件。成功稽核會記錄成功嘗試,而失敗稽核則會記錄失敗嘗試。 如果您未設定這個原則設定,則不會在 IPsec 快速模式交涉期間產生稽核事件。 數量: 高。 預設值: 沒有稽核。 |
IPsec Quick Mode
This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts.If you do not configure this policy setting, no audit event is generated during an IPsec Quick Mode negotiation. Volume: High. Default: No Auditing. |
| 627 | IPsec 延伸模式
這個原則設定可讓您稽核網際網路金鑰交換通訊協定 (IKE) 及已驗證網際網路通訊協定 (AuthIP) 在延伸模式交涉期間產生的事件。 如果您設定這個原則設定,則會在 IPsec 延伸模式交涉期間產生稽核事件。成功稽核會記錄成功嘗試,而失敗稽核則會記錄失敗嘗試。 如果您未設定這個原則設定,則不會在 IPsec 延伸模式交涉期間產生稽核事件。 數量: 高。 預設值: 沒有稽核。 |
IPsec Extended Mode
This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Extended Mode negotiation. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated during an IPsec Extended Mode negotiation. Volume: High. Default: No Auditing. |
| 628 | 特殊登入
這個原則設定可讓您稽核因特殊登入而產生的事件,例如: 使用特殊登入,這是具有管理員同等權限而且可以用來將處理程序提高為較高等級的登入。 特殊群組成員的登入。特殊群組可讓您稽核特定群組成員登入網路時產生的事件。您可以在登錄中設定群組安全性識別碼 (SID) 清單。如果上述任一 SID 在登入期間被新增至權杖,而且子類別已啟用,則會記錄事件。如需這個功能的詳細資訊,請參閱 Microsoft 知識庫文章 947223 (https://go.microsoft.com/fwlink/?LinkId=121697)。 數量: 低。 預設值: 成功。 |
Special Logon
This policy setting allows you to audit events generated by special logons such as the following : The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see article 947223 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=121697). Volume: Low. Default: Success. |
| 629 | 其他登入/登出事件
這個原則設定可讓您稽核「登入/登出」原則設定未涵蓋的其他登入/登出相關事件,例如: 終端機服務工作階段中斷連線。 新的終端機服務工作階段。 鎖定及解除鎖定工作站。 呼叫螢幕保護裝置。 解除螢幕保護裝置。 偵測 Kerberos 重新執行攻擊,在這類攻擊中,會接收到具有相同資訊的 Kerberos 要求兩次。這個狀況可能是網路設定錯誤而造成。 將無線網路存取權限授與使用者或電腦帳戶。 將有線 802.1x 網路存取權限授與使用者或電腦帳戶。 數量: 低。 預設值: 沒有稽核。 |
Other Logon/Logoff Events
This policy setting allows you to audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting such as the following: Terminal Services session disconnections. New Terminal Services sessions. Locking and unlocking a workstation. Invoking a screen saver. Dismissal of a screen saver. Detection of a Kerberos replay attack, in which a Kerberos request was received twice with identical information. This condition could be caused by network misconfiguration. Access to a wireless network granted to a user or computer account. Access to a wired 802.1x network granted to a user or computer account. Volume: Low. Default: No Auditing. |
| 630 | 網路原則伺服器
這個原則設定可讓您稽核 RADIUS (IAS) 及網路存取保護 (NAP) 使用者存取要求所產生的事件。這些要求可以是授與、拒絕、捨棄、隔離、鎖定及解除鎖定。 如果您設定這個原則設定,則會針對每個 IAS 及 NAP 使用者存取要求產生稽核事件。成功稽核會記錄成功的使用者存取要求,而失敗稽核則會記錄失敗嘗試。 如果您未設定這個原則設定,則不會稽核 IAS 及 NAP 使用者存取要求。 數量: 在 NPS 及 IAS 伺服器上是「中」或「高」,而其他電腦上則沒有數量。 預設值: 成功,失敗。 |
Network Policy Server
This policy setting allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. If you configure this policy setting, an audit event is generated for each IAS and NAP user access request. Success audits record successful user access requests and Failure audits record unsuccessful attempts. If you do not configure this policy settings, IAS and NAP user access requests are not audited. Volume: Medium or High on NPS and IAS server. No volume on other computers. Default: Success, Failure. |
| 631 | 使用者/裝置宣告
此原則可讓您稽核使用者之登入權杖中的使用者與裝置宣告資訊。此子類別中的事件是在建立登入工作階段的電腦上產生。對於互動式登入,安全性稽核事件是在使用者登入的電腦上產生。對於網路登入 (例如,存取網路上的共用資料夾),安全性稽核事件是在裝載資源的電腦上產生。 當宣告包含於 Active Directory 中的使用者帳戶屬性中時,使用者宣告會被新增至登入權杖。當宣告包含於 Active Directory 中的裝置電腦帳戶屬性中時,裝置宣告會被新增至登入權杖。此外,必須為網域與使用者登入的電腦啟用複合身分識別。 設定此設定時,會為每個成功的登入建立一或多個安全性稽核事件。您也必須在「進階稽核原則設定\系統稽核原則\登入/登出」下啟用「稽核登入」設定。若使用者與裝置宣告資訊無法放在單一安全性稽核事件中,則會產生多個事件。 數量: 用戶端電腦上是「低」。網域控制站或網路伺服器上是「中」 預設值: 不稽核。 |
User / Device Claims
This policy allows you to audit user and device claims information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. User claims are added to a logon token when claims are included with a user's account attributes in Active Directory. Device claims are added to the logon token when claims are included with a device's computer account attributes in Active Directory. In addition, compound identity must be enabled for the domain and on the computer where the user logged on. When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the user and device claims information cannot fit in a single security audit event. Volume: Low on a client computer. Medium on a domain controller or a network server Default: No Auditing. |
| 632 | 群組成員資格
此原則可讓您稽核使用者登入權杖中的群組成員資格資訊。這個子類別中的事件會在建立登入工作階段的電腦上產生。對於互動式登入,安全性稽核事件會在使用者登入的電腦上產生。對於網路登入 (例如存取網路上的共用資料夾),安全性稽核事件會在主控資源的電腦上產生。 設定此設定後,會針對每個成功的登入產生一或多個安全性稽核事件。您也必須啟用「進階稽核原則設定\系統稽核原則\登入/登出」底下的「稽核登入」設定。如果單一安全性稽核事件無法容納群組成員資格資訊,則會產生多個事件。 數量: 用戶端電腦上為低。網域控制站或網路伺服器上為中 預設值: 沒有稽核。 |
Group Membership
This policy allows you to audit the group memberhsip information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group memberhsip information cannot fit in a single security audit event. Volume: Low on a client computer. Medium on a domain controller or a network server Default: No Auditing. |
| 652 | 稽核原則變更
這個原則設定可讓您稽核安全性稽核原則設定變更,例如: 稽核原則物件上的設定權限及稽核設定。 系統稽核原則的變更。 安全性事件來源的註冊。 解除安全性事件來源的註冊。 每個使用者稽核設定的變更。 CrashOnAuditFail 值的變更。 檔案系統或登錄物件上的系統存取控制清單變更。 特殊群組清單的變更。 注意: 物件的 SACL 變更而且已啟用原則變更類別時,會進行系統存取控制清單 (SACL) 變更稽核。啟用物件存取稽核且設定物件的 SACL 以稽核 DACL/擁有者變更時,會稽核判別存取控制清單 (DACL) 及擁有權變更。 如果您設定這個原則設定,則會在嘗試遠端 RPC 連線時產生稽核事件。成功稽核會記錄成功嘗試,而失敗稽核則會記錄失敗嘗試。 如果您未設定這個原則設定,則不會在嘗試遠端 RPC 連線時產生稽核事件。 數量: 低。 預設值: 成功。 |
Audit Policy Change
This policy setting allows you to audit changes in the security audit policy settings such as the following: Settings permissions and audit settings on the Audit Policy object. Changes to the system audit policy. Registration of security event sources. De-registration of security event sources. Changes to the per-user audit settings. Changes to the value of CrashOnAuditFail. Changes to the system access control list on a file system or registry object. Changes to the Special Groups list. Note: System access control list (SACL) change auditing is done when a SACL for an object changes and the policy change category is enabled. Discretionary access control list (DACL) and ownership changes are audited when object access auditing is enabled and the object's SACL is configured for auditing of DACL/Owner change. If you configure this policy setting, an audit event is generated when a remote RPC connection is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a remote RPC connection is attempted. Volume: Low. Default: Success. |
| 653 | 驗證原則變更
這個原則設定可讓您稽核因驗證原則變更而產生的事件,例如: 建立樹系及網域信任。 修改樹系及網域信任。 移除樹系及網域信任。 變更下列位置下的 Kerberos 原則: 電腦設定\Windows 設定\安全性設定\帳戶原則\Kerberos 原則 將下列任何使用者權限授與使用者或群組: 從網路存取這台電腦。 允許本機登入。 允許透過終端機服務登入。 以批次工作登入。 以服務方式登入。 命名空間衝突。例如,新信任的名稱與現有命名空間名稱相同時。 如果您設定這個原則設定,則會在嘗試變更驗證原則時產生稽核事件。成功稽核會記錄成功嘗試,而失敗稽核則會記錄失敗嘗試。 如果您未設定這個原則設定,則不會在變更驗證原則時產生稽核事件。 注意: 套用群組原則時,會記錄安全性稽核事件。而修改設定時,則不會發生該事件。 數量: 低。 預設值: 成功。 |
Authentication Policy Change
This policy setting allows you to audit events generated by changes to the authentication policy such as the following: Creation of forest and domain trusts. Modification of forest and domain trusts. Removal of forest and domain trusts. Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. Granting of any of the following user rights to a user or group: Access This Computer From the Network. Allow Logon Locally. Allow Logon Through Terminal Services. Logon as a Batch Job. Logon a Service. Namespace collision. For example, when a new trust has the same name as an existing namespace name. If you configure this policy setting, an audit event is generated when an attempt to change the authentication policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when the authentication policy is changed. Note: The security audit event is logged when the group policy is applied. It does not occur at the time when the settings are modified. Volume: Low. Default: Success. |
| 654 | 授權原則變更
這個原則設定可讓您稽核因授權原則變更而產生的事件,例如: 指派未透過「驗證原則變更」子類別稽核的使用者權限 (如 SeCreateTokenPrivilege)。 移除未透過「驗證原則變更」子類別稽核的使用者權限 (如 SeCreateTokenPrivilege)。 加密檔案系統 (EFS) 原則的變更。 物件之資源屬性的變更。 套用至物件之集中存取原則 (CAP) 的變更。 如果您設定這個原則設定,則會在嘗試變更授權原則時產生稽核事件。成功稽核會記錄成功嘗試,而失敗稽核則會記錄失敗嘗試。 如果您未設定這個原則設定,則不會在變更授權原則時產生稽核事件。 數量: 低。 預設值: 沒有稽核。 |
Authorization Policy Change
This policy setting allows you to audit events generated by changes to the authorization policy such as the following: Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. Removal of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the “Authentication Policy Change” subcategory. Changes in the Encrypted File System (EFS) policy. Changes to the Resource attributes of an object. Changes to the Central Access Policy (CAP) applied to an object. If you configure this policy setting, an audit event is generated when an attempt to change the authorization policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when the authorization policy changes. Volume: Low. Default: No Auditing. |
| 655 | MPSSVC 規則層級原則變更
這個原則設定可讓您稽核因 Microsoft 保護服務 (MPSSVC) 使用之原則規則變更而產生的事件。這個服務是供 Windows 防火牆使用。包含下列事件: 報告 Windows 防火牆服務啟動時的使用中原則。 Windows 防火牆規則的變更。 Windows 防火牆例外清單的變更。 Windows 防火牆設定的變更。 Windows 防火牆服務忽略或未套用的規則。 Windows 防火牆群組原則設定的變更。 如果您設定這個原則設定,則會在嘗試變更 MPSSVC 所使用的原則規則時產生稽核事件。成功稽核會記錄成功嘗試,而失敗稽核則會記錄失敗嘗試。 如果您未設定這個原則設定,在 MPSSVC 使用的原則規則變更時則不會產生稽核事件。 數量: 低。 預設值: 沒有稽核。 |
MPSSVC Rule-Level Policy Change
This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. Events include the following: Reporting of active policies when Windows Firewall service starts. Changes to Windows Firewall rules. Changes to Windows Firewall exception list. Changes to Windows Firewall settings. Rules ignored or not applied by Windows Firewall Service. Changes to Windows Firewall Group Policy settings. If you configure this policy setting, an audit event is generated by attempts to change policy rules used by the MPSSVC. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated by changes in policy rules used by the MPSSVC. Volume: Low. Default: No Auditing. |
| 656 | 篩選平台原則變更
這個原則設定可讓您稽核因 Windows 篩選平台 (WFP) 變更而產生的事件,例如: IPsec 服務狀態。 IPsec 原則設定的變更。 Windows 防火牆原則設定的變更。 WFP 提供者及引擎的變更。 如果您設定這個原則設定,則會在嘗試變更 WFP 時產生稽核事件。成功稽核會記錄成功嘗試,而失敗稽核則會記錄失敗嘗試。 如果您未設定這個原則設定,則不會在變更 WFP 時產生稽核事件。 數量: 低。 預設值: 沒有稽核。 |
Filtering Platform Policy Change
This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP) such as the following: IPsec services status. Changes to IPsec policy settings. Changes to Windows Firewall policy settings. Changes to WFP providers and engine. If you configure this policy setting, an audit event is generated when a change to the WFP is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a change occurs to the WFP. Volume: Low. Default: No Auditing. |
| 657 | 其他原則變更事件
這個原則設定可讓您稽核原則變更類別未稽核之其他安全性原則變更所產生的稽核事件,例如: 信賴平台模組 (TPM) 設定變更。 核心模式密碼編譯自我測試。 密碼編譯提供者操作。 密碼編譯內容操作或修改。 已套用的集中存取原則 (CAP) 變更。 開機設定資料 (BCD) 修改。 數量: 低。 預設值: 沒有稽核。 |
Other Policy Change Events
This policy setting allows you to audit events generated by other security policy changes that are not audited in the policy change category, such as the following: Trusted Platform Module (TPM) configuration changes. Kernel-mode cryptographic self tests. Cryptographic provider operations. Cryptographic context operations or modifications. Applied Central Access Policies (CAPs) changes. Boot Configuration Data (BCD) modifications. Volume: Low. Default: No Auditing. |
| 682 | 機密特殊權限使用
這個原則設定可讓您稽核使用機密特殊權限 (使用者權限) 時產生的事件,例如: 呼叫特許服務。 呼叫下列其中一種權限: 當成作業系統的一部分。 備份檔案及目錄。 建立權杖物件。 偵錯程式。 讓電腦及使用者帳戶受信賴,以進行委派。 產生安全性稽核。 在驗證後模擬用戶端。 載入及解除載入裝置驅動程式。 管理稽核及安全性記錄檔。 修改韌體環境值。 取代處理程序等級權杖。 還原檔案及目錄。 取得檔案或其他物件的擁有權。 如果您設定這個原則設定,則會在進行機密特殊權限要求時產生稽核事件。成功稽核會記錄成功要求,而失敗稽核則會記錄失敗要求。 如果您未設定這個原則設定,則不會在進行機密特殊權限要求時產生稽核事件。 數量: 高。 |
Sensitive Privilege Use
This policy setting allows you to audit events generated when sensitive privileges (user rights) are used such as the following: A privileged service is called. One of the following privileges are called: Act as part of the operating system. Back up files and directories. Create a token object. Debug programs. Enable computer and user accounts to be trusted for delegation. Generate security audits. Impersonate a client after authentication. Load and unload device drivers. Manage auditing and security log. Modify firmware environment values. Replace a process-level token. Restore files and directories. Take ownership of files or other objects. If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful requests and Failure audits record unsuccessful requests. If you do not configure this policy setting, no audit event is generated when sensitive privilege requests are made. Volume: High. |
| 683 | 非機密特殊權限使用
這個原則設定可讓您稽核因使用非機密特殊權限 (使用者權限) 而產生的事件。 下列是非機密的特殊權限: 存取認證管理員做為信任的呼叫者。 從網路存取這台電腦。 將工作站新增至網域。 調整處理程序的記憶體配額。 允許本機登入。 允許透過終端機服務登入。 略過周遊檢查。 變更系統時間。 建立分頁檔。 建立通用物件。 建立永久共用物件。 建立符號連結。 拒絕從網路存取這台電腦。 拒絕以批次工作登入。 拒絕以服務方式登入。 拒絕本機登入。 拒絕透過終端機服務登入。 強制從遠端系統進行關閉。 增加處理程序工作集。 增加排程優先順序。 鎖定記憶體中的分頁。 以批次工作登入。 以服務方式登入。 修改物件標籤。 執行磁碟區維護工作。 監視單一處理程序。 監視系統效能。 從擴充座移除電腦。 關閉系統。 同步處理目錄服務資料。 如果您設定這個原則設定,則會在呼叫非機密特殊權限時產生稽核事件。成功稽核會記錄成功呼叫,而失敗稽核則會記錄失敗呼叫。 如果您未設定這個原則設定,則不會在呼叫非機密特殊權限時產生稽核事件。 數量: 極高。 |
Non Sensitive Privilege Use
This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights). The following privileges are non-sensitive: Access Credential Manager as a trusted caller. Access this computer from the network. Add workstations to domain. Adjust memory quotas for a process. Allow log on locally. Allow log on through Terminal Services. Bypass traverse checking. Change the system time. Create a pagefile. Create global objects. Create permanent shared objects. Create symbolic links. Deny access this computer from the network. Deny log on as a batch job. Deny log on as a service. Deny log on locally. Deny log on through Terminal Services. Force shutdown from a remote system. Increase a process working set. Increase scheduling priority. Lock pages in memory. Log on as a batch job. Log on as a service. Modify an object label. Perform volume maintenance tasks. Profile single process. Profile system performance. Remove computer from docking station. Shut down the system. Synchronize directory service data. If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful calls and Failure audits record unsuccessful calls. If you do not configure this policy setting, no audit event is generated when a non-sensitive privilege is called. Volume: Very High. |
| 684 | 未使用。 | Not used. |
| 702 | 建立處理程序
這個原則設定可讓您稽核建立或啟動處理程序時產生的事件,也會稽核建立處理程序的應用程式或使用者名稱。 如果您設定這個原則設定,則會在建立處理程序時產生稽核事件。成功稽核會記錄成功嘗試,而失敗稽核則會記錄失敗嘗試。 如果您未設定這個原則設定,則不會在建立處理程序時產生稽核事件。 數量: 取決於電腦的使用方式。 |
Process Creation
This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited. If you configure this policy setting, an audit event is generated when a process is created. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a process is created. Volume: Depends on how the computer is used. |
| 703 | 終止處理程序
這個原則設定可讓您稽核處理程序結束時產生的事件。 如果您設定這個原則設定,則會在處理程序結束時產生稽核事件。成功稽核會記錄成功嘗試,而失敗稽核則會記錄失敗嘗試。 如果您未設定這個原則設定,則不會在處理程序結束時產生稽核事件。 數量: 取決於電腦的使用方式。 |
Process Termination
This policy setting allows you to audit events generated when a process ends. If you configure this policy setting, an audit event is generated when a process ends. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a process ends. Volume: Depends on how the computer is used. |
| 704 | DPAPI 活動
這個原則設定可讓您稽核對資料保護應用程式介面 (DPAPI) 進行加密或解密要求時產生的事件。DPAPI 是用來保護秘密資訊 (如儲存的密碼及金鑰資訊)。如需 DPAPI 的詳細資訊,請參閱 https://go.microsoft.com/fwlink/?LinkId=121720。 如果您設定這個原則設定,則會在對 DPAPI 進行加密或解密要求時產生稽核事件。成功稽核會記錄成功要求,而失敗稽核則會記錄失敗要求。 如果您未設定這個原則設定,則不會在對 DPAPI 進行加密或解密要求時產生稽核事件。 數量: 低。 |
DPAPI Activity
This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see https://go.microsoft.com/fwlink/?LinkId=121720. If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. If you do not configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI. Volume: Low. |
| 705 | RPC 事件
這個原則設定可讓您稽核傳入遠端程序呼叫 (RPC) 連線。 如果您設定這個原則設定,則會在嘗試遠端 RPC 連線時產生稽核事件。成功稽核會記錄成功嘗試,而失敗稽核則會記錄失敗嘗試。 如果您未設定這個原則設定,則不會在嘗試遠端 RPC 連線時產生稽核事件。 數量: 在 RPC 伺服器上是「高」。 |
RPC Events
This policy setting allows you to audit inbound remote procedure call (RPC) connections. If you configure this policy setting, an audit event is generated when a remote RPC connection is attempted. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a remote RPC connection is attempted. Volume: High on RPC servers. |
| 706 | PNP 活動
此原則設定可讓您在隨插即用偵測到外接式裝置時執行稽核。 若設定此原則設定,每當隨插即用偵測到外接式裝置時會產生稽核事件。此類別只會記錄成功稽核。 若未設定此原則設定,當隨插即用偵測到外接式裝置時不會產生稽核事件。 數量: 低 |
PNP Activity
This policy setting allows you to audit when plug and play detects an external device. If you configure this policy setting, an audit event is generated whenever plug and play detects an external device. Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. Volume: Low |
| 707 | 權杖權限調整事件
此原則設定可讓您稽核透過調整權杖權限而產生的事件。 數量: 高。 預設值: 沒有稽核。 |
Token Right Adjustment Event
This policy setting allows you to audit events generated by adjusting the privileges of a token. Volume: High. Default: No Auditing. |
| 732 | 安全性狀態變更
這個原則設定可讓您稽核因電腦安全性狀態變更而產生的事件,例如下列事件: 電腦的啟動及關閉。 系統時間的變更。 從 CrashOnAuditFail 復原系統,這是在安全性事件記錄檔已滿且設定 CrashOnAuditFail 登錄項目時於系統重新啟動之後記錄。 數量: 低。 預設值: 成功。 |
Security State Change
This policy setting allows you to audit events generated by changes in the security state of the computer such as the following events: Startup and shutdown of the computer. Change of system time. Recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured. Volume: Low. Default: Success. |
| 733 | 安全性系統延伸
這個原則設定可讓您稽核與安全性系統延伸或服務相關的事件,例如: 載入安全性系統延伸 (如驗證、通知或安全性封裝),並向本機安全性授權 (LSA) 進行註冊。它是用來驗證登入嘗試、提交登入要求,以及任何帳戶或密碼變更。Kerberos 及 NTLM 是安全性系統延伸的範例。 安裝服務,並向服務控制管理員進行註冊。稽核記錄包含服務名稱、二進位、類型、啟動類型及服務帳戶的相關資訊。 如果您設定這個原則設定,則會在嘗試載入安全性系統延伸時產生稽核事件。成功稽核會記錄成功嘗試,而失敗稽核則會記錄失敗嘗試。 如果您未設定這個原則設定,則不會在嘗試載入安全性系統延伸時產生稽核事件。 數量: 低。在網域控制站上產生安全性系統延伸事件的頻率會多於用戶端電腦或成員伺服器。 預設值: 沒有稽核。 |
Security System Extension
This policy setting allows you to audit events related to security system extensions or services such as the following: A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It is used to authenticate logon attempts, submit logon requests, and any account or password changes. Examples of security system extensions are Kerberos and NTLM. A service is installed and registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account. If you configure this policy setting, an audit event is generated when an attempt is made to load a security system extension. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an attempt is made to load a security system extension. Volume: Low. Security system extension events are generated more often on a domain controller than on client computers or member servers. Default: No Auditing. |
| 734 | 系統完整性
這個原則設定可讓您稽核會破壞安全性子系統完整性的事件,例如: 因稽核系統發生問題而無法寫入事件記錄檔的事件。 使用本機程序呼叫 (LPC) 連接埠的處理程序,而此連接埠在透過與用戶端位址空間之間的回覆、讀取或寫入來嘗試模擬用戶端的過程中無效。 偵測到危害系統完整性的遠端程序呼叫 (RPC)。 偵測到程式碼完整性判斷為無效之可執行檔的雜湊值。 危害系統完整性的密碼編譯操作。 數量: 低。 預設值: 成功,失敗。 |
System Integrity
This policy setting allows you to audit events that violate the integrity of the security subsystem, such as the following: Events that could not be written to the event log because of a problem with the auditing system. A process that uses a local procedure call (LPC) port that is not valid in an attempt to impersonate a client by replying, reading, or writing to or from a client address space. The detection of a Remote Procedure Call (RPC) that compromises system integrity. The detection of a hash value of an executable file that is not valid as determined by Code Integrity. Cryptographic operations that compromise system integrity. Volume: Low. Default: Success, Failure. |
| 735 | IPSEC 驅動程式
這個原則設定可讓您稽核因 IPsec 篩選器驅動程式而產生的事件,例如: IPsec 服務的啟動及關閉。 因完整性檢查失敗而丟棄的網路封包。 因重新執行檢查失敗而丟棄的網路封包。 因格式為純文字而丟棄的網路封包。 接收到具有不正確安全性參數索引 (SPI) 的網路封包。這可能表示網路卡未正確運作,或需要更新驅動程式。 無法處理 IPsec 篩選器。 如果您設定這個原則設定,則會在 IPsec 篩選器驅動程式操作上產生稽核事件。成功稽核會記錄成功嘗試,而失敗稽核則會記錄失敗嘗試。 如果您未設定這個原則設定,則不會在 IPsec 篩選器驅動程式操作上產生稽核事件。 數量: 低。 預設值: 沒有稽核。 |
IPsec Driver
This policy setting allows you to audit events generated by the IPsec filter driver such as the following: Startup and shutdown of the IPsec services. Network packets dropped due to integrity check failure. Network packets dropped due to replay check failure. Network packets dropped due to being in plaintext. Network packets received with incorrect Security Parameter Index (SPI). This may indicate that either the network card is not working correctly or the driver needs to be updated. Inability to process IPsec filters. If you configure this policy setting, an audit event is generated on an IPsec filter driver operation. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated on an IPSec filter driver operation. Volume: Low. Default: No Auditing. |
| 736 | 其他系統事件
這個原則設定可讓您稽核下列任一事件: Windows 防火牆服務及驅動程式的啟動及關閉。 Windows 防火牆服務的安全性原則處理。 密碼編譯金鑰檔案及移轉操作。 數量: 低。 預設值: 成功,失敗。 |
Other System Events
This policy setting allows you to audit any of the following events: Startup and shutdown of the Windows Firewall service and driver. Security policy processing by the Windows Firewall Service. Cryptography key file and migration operations. Volume: Low. Default: Success, Failure. |
| 762 | 檔案系統
這個原則設定可讓您稽核使用者存取檔案系統物件的嘗試。只有已指定系統存取控制清單 (SACL) 的物件,以及要求的存取類型 (如寫入、讀取或修改) 及提出要求的帳戶符合 SACL 中的設定時,才會產生安全性稽核事件。如需啟用物件存取稽核的詳細資訊,請參閱 https://go.microsoft.com/fwlink/?LinkId=122083。 如果您設定這個原則設定,則會在每次帳戶存取具有相符 SACL 的檔案系統物件時產生稽核事件。成功稽核會記錄成功嘗試,而失敗稽核則會記錄失敗嘗試。 如果您未設定這個原則設定,則不會在每次帳戶存取具有相符 SACL 的檔案系統物件時產生稽核事件。 注意: 您可以使用該物件之 [內容] 對話方塊的 [安全性] 索引標籤,設定檔案系統物件的 SACL。 數量: 取決於檔案系統 SACL 的設定方式。 |
File System
This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see https://go.microsoft.com/fwlink/?LinkId=122083. If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL. Note: You can set a SACL on a file system object using the Security tab in that object's Properties dialog box. Volume: Depends on how the file system SACLs are configured. |
| 763 | 登錄
這個原則設定可讓您稽核存取登錄物件的嘗試。只有已指定系統存取控制清單 (SACL) 的物件,以及要求的存取類型 (如讀取、寫入或修改) 及提出要求的帳戶符合 SACL 中的設定時,才會產生安全性稽核事件。 如果您設定這個原則設定,則會在每次帳戶存取具有相符 SACL 的登錄物件時產生稽核事件。成功稽核會記錄成功嘗試,而失敗稽核則會記錄失敗嘗試。 如果您未設定這個原則設定,則不會在每次帳戶存取具有相符 SACL 的登錄物件時產生稽核事件。 注意: 您可以使用 [使用權限] 對話方塊來設定登錄物件的 SACL。 數量: 取決於登錄 SACL 的設定方式。 |
Registry
This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL. Note: You can set a SACL on a registry object using the Permissions dialog box. Volume: Depends on how registry SACLs are configured. |
| 764 | 核心物件
這個原則設定可讓您稽核存取核心的嘗試 (包含 Mutex 及旗號)。 只有具有相符系統存取控制清單 (SACL) 的核心物件才會產生安全性稽核事件。 注意: [稽核: 稽核通用系統物件的存取] 原則設定可控制核心物件的預設 SACL。 數量: 如果啟用通用系統物件的稽核存取,則為「高」。 |
Kernel Object
This policy setting allows you to audit attempts to access the kernel, which include mutexes and semaphores. Only kernel objects with a matching system access control list (SACL) generate security audit events. Note: The Audit: Audit the access of global system objects policy setting controls the default SACL of kernel objects. Volume: High if auditing access of global system objects is enabled. |
| 765 | SAM
這個原則設定可讓您稽核因嘗試存取安全性帳戶管理員 (SAM) 物件而產生的事件。 SAM 物件包括: SAM_ALIAS -- 本機群組。 SAM_GROUP -- 不是本機群組的群組。 SAM_USER - 使用者帳戶。 SAM_DOMAIN - 網域。 SAM_SERVER - 電腦帳戶。 如果您設定這個原則設定,則會在嘗試存取核心物件時產生稽核事件。成功稽核會記錄成功嘗試,而失敗稽核則會記錄失敗嘗試。 如果您未設定這個原則設定,則不會在嘗試存取核心物件時產生稽核事件。 注意: 只可以修改 SAM_SERVER 的系統存取控制清單 (SACL)。 數量: 在網域控制站上是「高」。如需減少在這個子類別中產生之事件數量的詳細資訊,請參閱 Microsoft 知識庫文章 841001 (https://go.microsoft.com/fwlink/?LinkId=121698)。 |
SAM
This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. SAM objects include the following: SAM_ALIAS -- A local group. SAM_GROUP -- A group that is not a local group. SAM_USER – A user account. SAM_DOMAIN – A domain. SAM_SERVER – A computer account. If you configure this policy setting, an audit event is generated when an attempt to access a kernel object is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made. Note: Only the System Access Control List (SACL) for SAM_SERVER can be modified. Volume: High on domain controllers. For information about reducing the amount of events generated in this subcategory, see article 841001 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=121698). |
| 766 | 憑證服務
這個原則設定可讓您稽核 Active Directory 憑證服務 (AD CS) 操作。 AD CS 操作包括: AD CS 啟動/關閉/備份/還原。 憑證撤銷清單 (CRL) 的變更。 新的憑證要求。 憑證的發出。 憑證的撤銷。 AD CS 的憑證管理員設定變更。 AD CS 組態的變更。 憑證服務範本的變更。 憑證的匯入。 憑證授權單位憑證的發佈是針對 Active Directory 網域服務。 AD CS 的安全性權限變更。 金鑰的封存。 金鑰的匯入。 金鑰的抓取。 線上憑證狀態通訊協定 (OCSP) 回應程式服務的啟動。 線上憑證狀態通訊協定 (OCSP) 回應程式服務的停止。 數量: 在執行 Active Directory 憑證服務的電腦上是「中」或「低」。 |
Certification Services
This policy setting allows you to audit Active Directory Certificate Services (AD CS) operations. AD CS operations include the following: AD CS startup/shutdown/backup/restore. Changes to the certificate revocation list (CRL). New certificate requests. Issuing of a certificate. Revocation of a certificate. Changes to the Certificate Manager settings for AD CS. Changes in the configuration of AD CS. Changes to a Certificate Services template. Importing of a certificate. Publishing of a certification authority certificate is to Active Directory Domain Services. Changes to the security permissions for AD CS. Archival of a key. Importing of a key. Retrieval of a key. Starting of Online Certificate Status Protocol (OCSP) Responder Service. Stopping of Online Certificate Status Protocol (OCSP) Responder Service. Volume: Medium or Low on computers running Active Directory Certificate Services. |
| 767 | 產生的應用程式
這個原則設定可讓您稽核使用 Windows 稽核應用程式開發介面 (API) 產生事件的應用程式。設計成使用 Windows 稽核 API 的應用程式,會使用這個子類別來記錄與其功能相關的稽核事件。 這個子類別中的事件包含: 應用程式用戶端內容的建立。 應用程式用戶端內容的刪除。 應用程式用戶端內容的初始化。 其他使用 Windows 稽核 API 的應用程式操作。 數量: 取決於產生它們的應用程式。 |
Application Generated
This policy setting allows you to audit applications that generate events using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function. Events in this subcategory include: Creation of an application client context. Deletion of an application client context. Initialization of an application client context. Other application operations using the Windows Auditing APIs. Volume: Depends on the applications that are generating them. |
| 768 | 控制代碼操作
這個原則設定可讓您稽核開啟或關閉物件控制代碼時產生的事件。只有具有相符系統存取控制清單 (SACL) 的物件才會產生安全性稽核事件。 如果您設定這個原則設定,則會在操作控制代碼時產生稽核事件。成功稽核會記錄成功嘗試,而失敗稽核則會記錄失敗嘗試。 如果您未設定這個原則設定,則不會在操作控制代碼時產生稽核事件。 注意: 這個子類別中的事件只有針對啟用對應物件存取子類別的物件類型,才會產生事件。例如,如果啟用檔案系統物件存取,則會產生控制代碼操作安全性稽核事件。如果未啟用登錄物件存取,則不會產生控制代碼操作安全性稽核事件。 數量: 取決於 SACL 的設定方式。 |
Handle Manipulation
This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when a handle is manipulated. Note: Events in this subcategory generate events only for object types where the corresponding Object Access subcategory is enabled. For example, if File system object access is enabled, handle manipulation security audit events are generated. If Registry object access is not enabled, handle manipulation security audit events will not be generated. Volume: Depends on how SACLs are configured. |
| 769 | 檔案共用
這個原則設定可讓您稽核存取共用資料夾的嘗試。 如果您設定這個原則設定,則會在嘗試存取共用資料夾時產生稽核事件。如果定義這個原則設定,則系統管理員可以指定只稽核成功、只稽核失敗,或同時稽核兩者。 注意: 共用資料夾沒有系統存取控制清單 (SACL)。如果啟用這個原則設定,則會稽核系統上所有共用資料夾的存取。 數量: 因為群組原則需要 SYSVOL 網路存取,所以在檔案伺服器或網域控制站上是「高」。 |
File Share
This policy setting allows you to audit attempts to access a shared folder. If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures. Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited. Volume: High on a file server or domain controller because of SYSVOL network access required by Group Policy. |
| 770 | Windows 篩選平台封包丟棄
這個原則設定可讓您稽核 Windows 篩選平台 (WFP) 丟棄的封包。 數量: 高。 |
Windows Filtering Platform Packet Drop
This policy setting allows you to audit packets that are dropped by Windows Filtering Platform (WFP). Volume: High. |
| 771 | Windows 篩選平台連線
這個原則設定可讓您稽核 Windows 篩選平台 (WFP) 允許或封鎖的連線。包含下列事件: Windows 防火牆服務封鎖應用程式,使其無法接受網路的連入連線。 WFP 允許連線。 WFP 封鎖連線。 WFP 允許本機連接埠的繫結。 WFP 封鎖本機連接埠的繫結。 WFP 允許連線。 WFP 封鎖連線。 WFP 允許應用程式或服務接聽進行連入連線的連接埠。 WFP 封鎖應用程式或服務接聽進行連入連線的連接埠。 如果您設定這個原則設定,則會在 WFP 允許或封鎖連線時產生稽核事件。成功稽核會記錄允許連線時產生的事件,而失敗稽核則會記錄封鎖連線時產生的事件。 如果您未設定這個原則設定,則不會在 WFP 允許或封鎖連線時產生稽核事件。 數量: 高。 |
Windows Filtering Platform Connection
This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP). The following events are included: The Windows Firewall Service blocks an application from accepting incoming connections on the network. The WFP allows a connection. The WFP blocks a connection. The WFP permits a bind to a local port. The WFP blocks a bind to a local port. The WFP allows a connection. The WFP blocks a connection. The WFP permits an application or service to listen on a port for incoming connections. The WFP blocks an application or service to listen on a port for incoming connections. If you configure this policy setting, an audit event is generated when connections are allowed or blocked by the WFP. Success audits record events generated when connections are allowed and Failure audits record events generated when connections are blocked. If you do not configure this policy setting, no audit event is generated when connected are allowed or blocked by the WFP. Volume: High. |
| 772 | 其他物件存取事件
這個原則設定可讓您稽核因管理工作排程器物件或 COM+ 物件而產生的事件。 如果是排程器工作,則會稽核下列項目: 建立工作。 刪除工作。 啟用工作。 停用工作。 更新工作。 如果是 COM+ 物件,則會稽核下列項目: 新增類別目錄物件。 更新類別目錄物件。 刪除類別目錄物件。 數量: 低。 |
Other Object Access Events
This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. For scheduler jobs, the following are audited: Job created. Job deleted. Job enabled. Job disabled. Job updated. For COM+ objects, the following are audited: Catalog object added. Catalog object updated. Catalog object deleted. Volume: Low. |
| 773 | 詳細的檔案共用
這個原則設定可讓您稽核存取共用資料夾中之檔案及資料夾的嘗試。[詳細的檔案共用] 設定記錄每次存取檔案或資料夾的事件,而 [檔案共用] 設定對於用戶端和檔案共用之間建立的任何連線只會記錄一次事件。[詳細的檔案共用] 稽核的事件,包括關於權限或用來授與或拒絕存取之其他條件的詳細資訊。 如果您設定此原則設定,當嘗試存取共用上的檔案或資料夾時,就會產生稽核事件。系統管理員可以指定只稽核成功、只稽核失敗,或同時稽核兩者。 注意: 共用資料夾沒有系統存取控制清單 (SACL)。如果啟用此原則設定,則會稽核系統上所有共用檔案和資料夾的存取。 數量: 因為群組原則需要 SYSVOL 網路存取,所以在檔案伺服器或網域控制站上是「高」。 |
Detailed File Share
This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures. Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited. Volume: High on a file server or domain controller because of SYSVOL network access required by Group Policy. |
| 774 | 抽取式存放裝置
此原則設定可以讓您稽核存取抽取式存放裝置上之檔案系統物件的使用者嘗試。安全性稽核事件只會針對所有要求之存取類型的所有物件產生。 如果您設定此原則設定,每當有帳戶存取抽取式存放裝置上的檔案系統物件時,就會產生稽核事件。成功稽核會記錄成功的嘗試,失敗稽核會記錄失敗的嘗試。 如果您未設定此原則設定,當有帳戶存取抽取式存放裝置上的檔案系統物件時,就不會產生稽核事件。 |
Removable storage
This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. |
| 775 | 集中存取原則執行
此原則設定可以讓您稽核下列情況的存取要求: 建議之原則授與或拒絕的權限,與物件上目前的集中存取原則不同。 如果您設定此原則設定,每當使用者存取物件時,若物件上目前的集中存取原則授與的權限與建議之原則授與的權限不同時,就會產生稽核事件。產生的稽核事件將以下列方式產生: 1) 成功稽核 (設定時) 會記錄下列情況的存取嘗試: 當目前的集中存取原則授與存取權,而建議之原則拒絕存取權時。 2) 失敗稽核 (設定時) 會記錄下列情況的存取嘗試: a) 目前的集中存取原則未授與存取權,而建議之原則授與存取權時。 b) 某主體要求允許的最大存取權限,而目前的集中存取原則授與的存取權限與建議之原則授與的存取權限不同時。 數量: 當建議之原則與目前的集中存取原則明顯不同時,在檔案伺服器上可能是高的。 預設值: 不進行稽核 |
Central Access Policy Staging
This policy setting allows you to audit access requests where the permission granted or denied by a proposed policy differs from the current central access policy on an object. If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event will be generated as follows: 1) Success audits, when configured, records access attempts when the current central access policy grants access but the proposed policy denies access. 2) Failure audits when configured records access attempts when: a) The current central access policy does not grant access but the proposed policy grants access. b) A principal requests the maximum access rights they are allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy. Volume: Potentially high on a file server when the proposed policy differs significantly from the current central access policy. Default: No Auditing |
| 792 | 目錄服務存取
這個原則設定可讓您稽核存取 Active Directory 網域服務 (AD DS) 物件時產生的事件。 只會記錄具有相符系統存取控制清單 (SACL) 的 AD DS 物件。 這個子類別中的事件與舊版 Windows 中的目錄服務存取事件類似。 數量: 在網域控制站上是「高」,在用戶端電腦上則是「無」。 用戶端版本的預設值: 沒有稽核。 伺服器版本的預設值: 成功。 |
Directory Service Access
This policy setting allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed. Only AD DS objects with a matching system access control list (SACL) are logged. Events in this subcategory are similar to the Directory Service Access events available in previous versions of Windows. Volume: High on domain controllers. None on client computers. Default on Client editions: No Auditing. Default on Server editions: Success. |
| 793 | Active Directory 網域服務物件變更
此原則設定可讓您稽核因 Active Directory 網域服務 (AD DS) 中物件變更而產生的事件。建立、刪除、修改、移動或取消刪除物件時,會記錄事件。 如果可能,記錄在這個子類別中的事件會指出物件內容的新舊值。 只有在網域控制站上才會記錄這個子類別中的事件,而且只會記錄 AD DS 中具有相符系統存取控制清單 (SACL) 的物件。 注意: 因為結構描述中的物件類別設定,所以部分物件及內容的動作不會產生稽核事件。 若設定此原則設定,則會在嘗試變更 AD DS 中的物件時產生稽核事件。成功稽核會記錄成功嘗試,但不會記錄不成功的嘗試。 若未設定此原則設定,則不會在嘗試變更 AD DS 中的物件時產生稽核事件。 數量: 只有在網域控制站上是「高」。 預設值: 沒有稽核。 |
Active Directory Domain Services Object Changes
This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. When possible, events logged in this subcategory indicate the old and new values of the object’s properties. Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged. Note: Actions on some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. If you configure this policy setting, an audit event is generated when an attempt to change an object in AD DS is made. Success audits record successful attempts, however unsuccessful attempts are NOT recorded. If you do not configure this policy setting, no audit event is generated when an attempt to change an object in AD DS object is made. Volume: High on domain controllers only. Default: No Auditing |
| 794 | 目錄服務複寫
這個原則設定可讓您稽核兩部 Active Directory 網域服務 (AD DS) 網域控制站之間的複寫。 如果您設定這個原則設定,則會在 AD DS 複寫期間產生稽核事件。成功稽核會記錄成功複寫,而失敗稽核則會記錄失敗複寫。 如果您未設定這個原則設定,則不會在 AD DS 複寫期間產生稽核事件。 注意: 這個子類別中的事件只會記錄在網域控制站上。 數量: 在網域控制站上是「中」,在用戶端電腦上則是「無」。 預設值: 沒有稽核。 |
Directory Service Replication
This policy setting allows you to audit replication between two Active Directory Domain Services (AD DS) domain controllers. If you configure this policy setting, an audit event is generated during AD DS replication. Success audits record successful replication and Failure audits record unsuccessful replication. If you do not configure this policy setting, no audit event is generated during AD DS replication. Note: Events in this subcategory are logged only on domain controllers. Volume: Medium on domain controllers. None on client computers. Default: No Auditing. |
| 795 | 詳細目錄服務複寫
這個原則設定可讓您稽核因網域控制站之間的詳細 Active Directory 網域服務 (AD DS) 複寫而產生的事件。 數量: 高。 預設值: 沒有稽核。 |
Detailed Directory Service Replication
This policy setting allows you to audit events generated by detailed Active Directory Domain Services (AD DS) replication between domain controllers. Volume: High. Default: No Auditing. |
| 822 | 認證驗證
這個原則設定可讓您稽核因使用者帳戶登入認證的驗證測試而產生的事件。 只有在授權可以使用那些認證的電腦上,才會發生這個子類別中的事件。如果是網域帳戶,則網域控制站具有授權。如果是本機帳戶,則本機電腦具有授權。 數量: 在網域控制站上是「高」。 用戶端版本的預設值: 沒有稽核。 伺服器版本的預設值: 成功。 |
Credential Validation
This policy setting allows you to audit events generated by validation tests on user account logon credentials. Events in this subcategory occur only on the computer that is authoritative for those credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. Volume: High on domain controllers. Default on Client editions: No Auditing. Default on Server editions: Success. |
| 823 | Kerberos 服務票證操作
這個原則設定可讓您稽核因針對使用者帳戶提交 Kerberos 驗證票證授權票證 (TGT) 要求而產生的事件。 如果您設定這個原則設定,則會在針對使用者帳戶要求 Kerberos 驗證 TGT 之後產生稽核事件。成功稽核會記錄成功要求,而失敗稽核則會記錄失敗要求。 如果您未設定這個原則設定,則不會在針對使用者帳戶要求 Kerberos 驗證 TGT 之後產生稽核事件。 數量: 低。 用戶端版本的預設值: 沒有稽核。 伺服器版本的預設值: 成功。 |
Kerberos Service Ticket Operations
This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audits record successful requests and Failure audits record unsuccessful requests. If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT is request for a user account. Volume: Low. Default on Client editions: No Auditing. Default on Server editions: Success. |
| 824 | 其他帳戶登入事件
這個原則設定可讓您稽核因回應針對使用者帳戶登入提交的認證要求而產生的事件,而這些要求不是認證驗證或 Kerberos 票證。 目前,此子類別中沒有任何事件。 預設值: 沒有稽核。 |
Other Account Logon Events
This policy setting allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. Currently, there are no events in this subcategory. Default: No Auditing. |
| 825 | Kerberos 驗證服務
這個原則設定可讓您稽核因 Kerberos 驗證票證授權票證 (TGT) 要求而產生的事件。 如果您設定這個原則設定,則會在 Kerberos 驗證 TGT 要求之後產生稽核事件。成功稽核會記錄成功要求,而失敗稽核則會記錄失敗要求。 如果您未設定這個原則設定,則不會在 Kerberos 驗證 TGT 要求之後產生稽核事件。 數量: 在 Kerberos 金鑰發佈中心伺服器上是「高」。 用戶端版本的預設值: 沒有稽核。 伺服器版本的預設值: 成功。 |
Kerberos Authentication Service
This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests. If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful requests and Failure audits record unsuccessful requests. If you do not configure this policy setting, no audit event is generated after a Kerberos authentication TGT request. Volume: High on Kerberos Key Distribution Center servers. Default on Client editions: No Auditing Default on Server editions: Success. |
| File Description: | 稽核原則 MMC 嵌入式管理單元訊息 |
| File Version: | 10.0.15063.0 (WinBuild.160101.0800) |
| Company Name: | Microsoft Corporation |
| Internal Name: | AuditPolSnapInMsg |
| Legal Copyright: | © Microsoft Corporation. All rights reserved. |
| Original Filename: | AuditPolMsg.DLL.MUI |
| Product Name: | Microsoft® Windows® Operating System |
| Product Version: | 10.0.15063.0 |
| Translation: | 0x404, 1200 |