I am undered the impression that events 4656 and 4658 are created when the subcategory "Handle Manipulation" is enabled and that Microsoft recommends not to enabled this because these are very noisey events with very little worth. I believe that Microsoft recommends the use of the 4663 event, which shows the actual access of the object and is only recorded once during the intial opening of an object.
This leads me to three questions
1. My Active Directory administrator told me that our GPO for Windows 7 workstaions doesn't not have "Handle Manipulation" enabled. If this is the case how are these events being generated.
2.How can I review the GPO to tell if it's actually enabled or not.
3. assuming that it's enabled and I disable it, will I still get the 4663 event?