Hi,
I was hitting this issue also and found the following:
If you look in C:\Windows\security\logs\winlogon.log, you can see the message 'Legacy audit settings are disabled. Skipped configuration of legacy audit settings' when it would be bringing down the audit settings. The skipping of legacy policies applying is
controlled by the "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings." setting (for me it is currently set to enabled in the default domain controller policy, Computer Configuration - Policies
- Windows Settings - Security Settings - Local Policies - Security Options).
There are three ways we should be able to work around this:
1. Set the group policy setting to disabled to enable legacy audit settings.
2. Disable in the registry - This way we should be able to limit the change only to the domain controller we are using for ADMT - however, I have tested this in my lab and it did not seem to resolve the issue as it still disabled legacy settings.
3. Increase the auditing in the sub-categories to make the change on the root category. Basically it appears that unless all options in a sub-category are configured, the root category will not be configured, so by setting all of the options in a sub-category
we should get the result we want. The settings that would have to be configured are:
Computer Configuration - Policies - Windows Settings - Security Settings - Advanced Audit Policy Configuration - Audit policies - Account Management - Set all to Success and Failure
Computer Configuration - Policies - Windows Settings - Security Settings - Advanced Audit Policy Configuration - Audit policies - DS Access - Set all to Success
By setting all of these advanced policies to the same setting, it seems to set the main category to the same setting.
This resolved the issue for me, but let me know how you go
Cheers
Heath
-
Proposed as answer by
slavatem
Tuesday, March 19, 2013 5:00 AM