By default, auditing of all user rights is not enabled regardless of the settings in the audit policy. Therefore, if a user has the right to back up files, that user can access any file on the system; this would not be captured by auditing. To audit the use of such rights, apply following.

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\Lsa
Name: FullPrivilegeAuditing
Type: REG_DWORD
Value: 1

Caution: because of the Bypass Traverse Checking right, this will fill the audit log FAST.

Gives an in-depth look at the NT/Windows 95/98 system policies. Step-by-step walkthroughs.