We've got policy established that is supposed to audit failed attempts to access files in the All Users Profile directory, specifically for Symantec applications (Endpoint Protection, BackupExec).
We used Group Policy File Security to define audit policy on %AllUsersProfile%\Symantec\ on both Windows XP / 2003 systems and Windows 2008 / Windows 7 systems. For some reason, on the 2008/7 systems, we're getting repeated messages of 4907 "Auditing settings on object were changed"
I've heard that this could be something to do with the way Windows 2008/7 user a symbolic link for the legacy references for areas such as All Users Profile. Something like the policy attempts to set the audit settings on the sym link, end up propagating to the actual folders, but then detect them missing on the sym link and attempt to reapply. What I'm not sure of is how to fix this in my policy short of defining an absolute path to the version 5 kernel and version 6 kernel separately.
Am I ballpark here as to why the event 4907 is being generated? The low count on this is 264 per object in one week. The high end is 1298 occurrences in the same timeframe.