Auditing of Audit policy change events on success should be enabled or disabled as appropriate. Audit Audit Policy Change, which determines whether the operating system generates audit events when changes are made to audit policy. Changes to audit policy that are audited include: * Changing permissions and audit settings on the audit policy object (by using auditpol /set /sd). * Changing the system audit policy. * Registering and unregistering security event sources. * Changing per-user audit settings. * Changing the value of CrashOnAuditFail. * Changing audit settings on an object (for example, modifying the system access control list (SACL) for a file or registry key). Changing anything in the Special Groups list. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit policy change (2) REG: NO INFO