By default, auditing of all user rights is not enabled
regardless of the settings in the audit policy. Therefore, if a user has the
right to back up files, that user can access any file on the system; this would
not be captured by auditing. To audit the use of such rights, apply following.
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\Lsa
Name:
FullPrivilegeAuditing
Type: REG_DWORD
Value: 1
Caution: because of the Bypass Traverse Checking
right, this will fill the audit log FAST.