Auditors can preselect individual users as having their volume and container actions audited. For details about preselecting individuals for volume and container auditing, see Audit by User, User Restriction, Audit by User, and User Restriction. The ability to preselect users is not related to the auditor's NDS rights to the User objects.
A user who is configured as an Audit Administrator (with at least Read and Write rights to the Audit Policy property) of the Audit File object for any volume or container can preselect any user in the Directory tree.
That is, if SMITH is an auditor for volume SYS: on Server 1, then she can preselect (mark or unmark) any user in the Directory tree to be audited, even if the user being preselected is not a user of Server 1 and the User object is not in an partition stored on Server 1.
For this reason, it is important to ensure that all auditors are properly trained regarding the organization's policy on which users are preselected.
A user who has the Write right to the Audit Path property of an Audit File object used for external auditing can redirect audit data to an alternate volume or server, thus causing loss of access to the old audit data. To do this, a user does not need any rights to the server or volume that will hold the new audit data.
The disk space taken by external audit files cannot be recovered except by a user with the Write right to the Audit Policy of the corresponding Audit File object. For example, if user SMITH is an auditor of some external audit trail A, then user SMITH can cause external audit data to be stored on all servers in the network, even if she has no rights to files on any of those servers.
Therefore, it is important to ensure that all auditors are properly trained regarding the organization's policy on where external audit data files are stored.