Audit Policies are not being applied !
Hi, The audit polices have been set in a GPO that is applied to our 2008 R2 servers but they are not reflecting in local security policy. I referred article : http://support.microsoft.com/kb/921468 but in vain. I enforced this policy but no luck. In local GPO, I can see policy is enforced however values are not set. How do I enable these settings ? GPO has following configured When try auditpol /get command, I get following message C:\Windows\System32>auditpol.exe /get Error 0x00000057 occurred: The parameter is incorrect. Usage: AuditPol command [<sub-command><options>] Commands (only one command permitted per execution) /? Help (context-sensitive) /get Displays the current audit policy. /set Sets the audit policy. /list Displays selectable policy elements. /backup Saves the audit policy to a file. /restore Restores the audit policy from a file. /clear Clears the audit policy. /remove Removes the per-user audit policy for a user account. /resourceSACL Configure global resource SACLs Use AuditPol <command> /? for details on each command Thanks !
May 2nd, 2012 7:25pm

Hi, Is the GPO assigned to the OU which contains all the 2008 R2 servers? Do you apply any filter for this GPO? Because there is no parameter for "auditpol.exe /get", it shows 'The parameter is incorrect". For more information: Auditpol get http://technet.microsoft.com/en-us/library/cc772576(v=ws.10).aspx Regards, Terry | My Blog: http://terrytlslau.tls1.cc
Free Windows Admin Tool Kit Click here and download it now
May 3rd, 2012 12:14am

Hi, Is the GPO assigned to the OU which contains all the 2008 R2 servers? Do you apply any filter for this GPO? Because there is no parameter for "auditpol.exe /get", it shows 'The parameter is incorrect". For more information: Auditpol get http://technet.microsoft.com/en-us/library/cc772576(v=ws.10).aspx Regards, Terry | My Blog: http://terrytlslau.tls1.cc
May 3rd, 2012 12:14am

Hello Terry, Is the GPO assigned to the OU which contains all the 2008 R2 servers? Yes Do you apply any filter for this GPO? No filter has been applied Strange part is, apart from Audit policies, all other policies were applied. for testing, I even modified few policies in GPO and they are found to be working fine. I can't figure out, why Audit policies were not applied . Here is the output of command auditpol /get /category:* ============================================ System audit policy Category/Subcategory Setting System Security System Extension No Auditing System Integrity No Auditing IPsec Driver No Auditing Other System Events No Auditing Security State Change No Auditing Logon/Logoff Logon No Auditing Logoff No Auditing Account Lockout No Auditing IPsec Main Mode No Auditing IPsec Quick Mode No Auditing IPsec Extended Mode No Auditing Special Logon No Auditing Other Logon/Logoff Events No Auditing Network Policy Server No Auditing Object Access File System No Auditing Registry No Auditing Kernel Object No Auditing SAM No Auditing Certification Services No Auditing Application Generated No Auditing Handle Manipulation No Auditing File Share No Auditing Filtering Platform Packet Drop No Auditing Filtering Platform Connection No Auditing Other Object Access Events No Auditing Detailed File Share No Auditing Privilege Use Sensitive Privilege Use No Auditing Non Sensitive Privilege Use No Auditing Other Privilege Use Events No Auditing Detailed Tracking Process Termination No Auditing DPAPI Activity No Auditing RPC Events No Auditing Process Creation No Auditing Policy Change Audit Policy Change No Auditing Authentication Policy Change No Auditing Authorization Policy Change No Auditing MPSSVC Rule-Level Policy Change No Auditing Filtering Platform Policy Change No Auditing Other Policy Change Events No Auditing Account Management User Account Management No Auditing Computer Account Management No Auditing Security Group Management No Auditing Distribution Group Management No Auditing Application Group Management No Auditing Other Account Management Events No Auditing DS Access Directory Service Changes No Auditing Directory Service Replication No Auditing Detailed Directory Service Replication No Auditing Directory Service Access No Auditing Account Logon Kerberos Service Ticket Operations No Auditing Other Account Logon Events No Auditing Kerberos Authentication Service No Auditing Credential Validation No Auditing ============================================ Here is the snapshot of RSOP Thanks !
Free Windows Admin Tool Kit Click here and download it now
May 3rd, 2012 5:20pm

Hello Terry, Is the GPO assigned to the OU which contains all the 2008 R2 servers? Yes Do you apply any filter for this GPO? No filter has been applied Strange part is, apart from Audit policies, all other policies were applied. for testing, I even modified few policies in GPO and they are found to be working fine. I can't figure out, why Audit policies were not applied . Here is the output of command auditpol /get /category:* ============================================ System audit policy Category/Subcategory Setting System Security System Extension No Auditing System Integrity No Auditing IPsec Driver No Auditing Other System Events No Auditing Security State Change No Auditing Logon/Logoff Logon No Auditing Logoff No Auditing Account Lockout No Auditing IPsec Main Mode No Auditing IPsec Quick Mode No Auditing IPsec Extended Mode No Auditing Special Logon No Auditing Other Logon/Logoff Events No Auditing Network Policy Server No Auditing Object Access File System No Auditing Registry No Auditing Kernel Object No Auditing SAM No Auditing Certification Services No Auditing Application Generated No Auditing Handle Manipulation No Auditing File Share No Auditing Filtering Platform Packet Drop No Auditing Filtering Platform Connection No Auditing Other Object Access Events No Auditing Detailed File Share No Auditing Privilege Use Sensitive Privilege Use No Auditing Non Sensitive Privilege Use No Auditing Other Privilege Use Events No Auditing Detailed Tracking Process Termination No Auditing DPAPI Activity No Auditing RPC Events No Auditing Process Creation No Auditing Policy Change Audit Policy Change No Auditing Authentication Policy Change No Auditing Authorization Policy Change No Auditing MPSSVC Rule-Level Policy Change No Auditing Filtering Platform Policy Change No Auditing Other Policy Change Events No Auditing Account Management User Account Management No Auditing Computer Account Management No Auditing Security Group Management No Auditing Distribution Group Management No Auditing Application Group Management No Auditing Other Account Management Events No Auditing DS Access Directory Service Changes No Auditing Directory Service Replication No Auditing Detailed Directory Service Replication No Auditing Directory Service Access No Auditing Account Logon Kerberos Service Ticket Operations No Auditing Other Account Logon Events No Auditing Kerberos Authentication Service No Auditing Credential Validation No Auditing ============================================ Here is the snapshot of RSOP Thanks !
May 3rd, 2012 5:20pm

Hi, Could you take a snapshot of "Computer Configuration properties" in RSOP for verifying? Regards, Terry | My Blog: http://terrytlslau.tls1.cc
Free Windows Admin Tool Kit Click here and download it now
May 3rd, 2012 10:57pm

Hi, Could you take a snapshot of "Computer Configuration properties" in RSOP for verifying? Regards, Terry | My Blog: http://terrytlslau.tls1.cc
May 3rd, 2012 10:57pm

Hi, Thank you for the post. I test the audit policy on my computers and let me explain more about audit policy GP issue: 1. To KB921468, the override audit policy default value is enabled though it show not Defined. So please set it to Disabled. 2. The override audit policy works when you have not set any subcategory audit policies. You cannot set both category level and subcategory level audit policies since no category audit policies will work. So MS recommend to set subcategory audit policies via group policy or startup script. http://support.microsoft.com/kb/921469 3. To your scenario, it may some policy configured subcategory audit policies once and then remove the configuration. To find the policy, search audit.csv from \\domain.com\sysvol folder. Then two solutions you could choose: . Record the GPO ID, delete audit.csv file, run ADSI edit--Default naming context--DC--system--Policies--GPO ID--Properties--gPCMachineExtensionNames attribute--remove string [{F3CCC681-B74C-4060-9F26-CD84535DCA2A}{0F3F3735-573D-9804-99E4-B2A69BA5FD4}] http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/0486c801-8980-4afa-8fee-8cc1409c3ee2 . Record the GPO ID and settings, create new GPO with the same settings(not copy policy) and delete the old GPO http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx If there are more inquiries on this issue, please feel free to let us know. RegardsRick Tan TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 4th, 2012 2:44am

"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings." - I have disabled this policy and executed gpupdate /force on member server, Audit policies were applied on the member server. Many thanks Rick and Terry. Thanks again for your time and assistance. Thanks !
May 4th, 2012 3:10am

"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings." - I have disabled this policy and executed gpupdate /force on member server, Audit policies were applied on the member server. Many thanks Rick and Terry. Thanks again for your time and assistance. Thanks !
Free Windows Admin Tool Kit Click here and download it now
May 4th, 2012 3:10am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics