Hi, my colleague created GPO linked to a whole domain with only one setting - to audit object access (success, failure). Of course on particular shared folder auditing was enabled too. Everything worked well but I noticed that normal user activities such as logon/logoff, user locking etc. were not written to security log on DCs as soon as this GPO came into play. Only events in security log on DCs are those which said that audit policy changed by System account. This is strange to say at least since default domain controller policy had all necesarry settings set up (audit: account logon events,logon events, . . .) and default domain controller policy should have not been overriden by any GPO linked to a domain having in mind how GPO gets applied.

As soon as I removed GPO link to whole domain and did gpupdate /refresh security log on DCs started to fill up with records of user activities. I assume audit settings in some GPO are applied in the same way as the others - GPO linked to OU takes precedence over inherited GPO from higher levels (site, domain, parent OUs).