Event ID 807 – Per User Auditing Policy Set For User
Event 807 is logged when the Per-User Audit Policy is set for a user. The Per-User Audit Policy is a way of fine-tuning the audit policy based on the environment's particular needs, so that only the success and failure events of important audit categories and objects are logged. Per-user auditing provides a method to include and exclude event categories based on a per-security-principle.
This log has the following information:
- Security ID
- Account Name
- Account Domain
- Logon ID
- Security ID
- Subcategory GUID
Why does event ID 807 need to be monitored?
- To ensure security events are not disabled for certain specific users
- To check if global auditing is enabled
- To monitor the activity of high-value accounts
- To check if there is a per-user audit feature outside of standard procedures
ADAudit Plus helps you avoid the GPOs monitoring complexities with real-time pre-configured reports and auditing of the changes along with alerts within a Domain & OU. The advanced Group Policy settings real-time audit reports highlight the elusive change details, and also provide the old and new values of the modified attributes.
Event 807 applies to the following operating systems:
- Windows Server 2000
- Windows 2003 and XP
Corresponding event ID in Windows 2008 and Windows Vista is 4912