Now that you know your rights, how do you ensure that users don't abuse those rights? Your first step is to go to User Manager for Domains and activate auditing. Choosing to audit for successful use of Use of User Rights lets you monitor your users' successful use of certain rights. Choosing to audit for unsuccessful (i.e., failed) use of Use of User Rights lets you track users who attempt to use rights incorrectly. However, this auditing feature won't audit all user rights because some rights can generate thousands of entries. Consider the Back up files and directories right. If a user who has this right were to back up a server, and you had activated auditing for successful use of Use of User Rights, an entry for each backed-up file would appear in the log. No administrator wants to wade through so many irrelevant log entries.
You can activate auditing of the Back up files and directories and Restore files and directories rights by modifying the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey. Create or edit the FullPrivilegeAuditing subkey, of type REG_BINARY, with a value of 1. Reboot the system to effect the change, and update your Emergency Repair Disk (ERD).
Even if you decide to edit the registry in this way, the system still won't audit these rights: Bypass traverse checking, Create a token object, Debug programs, and Generate security audits. The only auditing that the system performs on these four rights occurs when you first assign them to a user or group. For more information about auditing user rights, see the Microsoft article "Auditing User Right Assignment Changes" (http://support.microsoft.com/support/kb/articles/q163/9/05.asp).
