Audit Policies are not being applied !
Hi,
The audit polices have been set in a GPO that is applied to our 2008 R2 servers but they are not reflecting in local security policy.
I referred article : http://support.microsoft.com/kb/921468 but in vain.
I enforced this policy but no luck.
In local GPO, I can see policy is enforced however values are not set. How do I enable these settings ?
GPO has following configured
When try auditpol /get command, I get following message
C:\Windows\System32>auditpol.exe /get
Error 0x00000057 occurred:
The parameter is incorrect.
Usage: AuditPol command [<sub-command><options>]
Commands (only one command permitted per execution)
/? Help (context-sensitive)
/get Displays the current audit policy.
/set Sets the audit policy.
/list Displays selectable policy elements.
/backup Saves the audit policy to a file.
/restore Restores the audit policy from a file.
/clear Clears the audit policy.
/remove Removes the per-user audit policy for a user account.
/resourceSACL Configure global resource SACLs
Use AuditPol <command> /? for details on each command
Thanks !
May 2nd, 2012 7:25pm
Hi,
Is the GPO assigned to the OU which contains all the 2008 R2 servers?
Do you apply any filter for this GPO?
Because there is no parameter for "auditpol.exe /get", it shows 'The parameter is incorrect".
For more information:
Auditpol get
http://technet.microsoft.com/en-us/library/cc772576(v=ws.10).aspx
Regards,
Terry | My Blog: http://terrytlslau.tls1.cc
Free Windows Admin Tool Kit Click here and download it now
May 3rd, 2012 12:14am
Hi,
Is the GPO assigned to the OU which contains all the 2008 R2 servers?
Do you apply any filter for this GPO?
Because there is no parameter for "auditpol.exe /get", it shows 'The parameter is incorrect".
For more information:
Auditpol get
http://technet.microsoft.com/en-us/library/cc772576(v=ws.10).aspx
Regards,
Terry | My Blog: http://terrytlslau.tls1.cc
May 3rd, 2012 12:14am
Hello Terry,
Is the GPO assigned to the OU which contains all the 2008 R2 servers? Yes
Do you apply any filter for this GPO? No filter has been applied
Strange part is, apart from Audit policies, all other policies were applied. for testing, I even modified few policies
in GPO and they are found to be working fine.
I can't figure out, why Audit policies were not applied .
Here is the output of command auditpol /get /category:*
============================================
System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity No Auditing
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change No Auditing
Logon/Logoff
Logon No Auditing
Logoff No Auditing
Account Lockout No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events No Auditing
Network Policy Server No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change No Auditing
Authentication Policy Change No Auditing
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management No Auditing
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service No Auditing
Credential Validation No Auditing
============================================
Here is the snapshot of RSOP
Thanks !
Free Windows Admin Tool Kit Click here and download it now
May 3rd, 2012 5:20pm
Hello Terry,
Is the GPO assigned to the OU which contains all the 2008 R2 servers? Yes
Do you apply any filter for this GPO? No filter has been applied
Strange part is, apart from Audit policies, all other policies were applied. for testing, I even modified few policies
in GPO and they are found to be working fine.
I can't figure out, why Audit policies were not applied .
Here is the output of command auditpol /get /category:*
============================================
System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity No Auditing
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change No Auditing
Logon/Logoff
Logon No Auditing
Logoff No Auditing
Account Lockout No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events No Auditing
Network Policy Server No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change No Auditing
Authentication Policy Change No Auditing
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management No Auditing
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service No Auditing
Credential Validation No Auditing
============================================
Here is the snapshot of RSOP
Thanks !
May 3rd, 2012 5:20pm
Hi,
Could you take a snapshot of "Computer Configuration properties" in RSOP for verifying?
Regards,
Terry | My Blog: http://terrytlslau.tls1.cc
Free Windows Admin Tool Kit Click here and download it now
May 3rd, 2012 10:57pm
Hi,
Could you take a snapshot of "Computer Configuration properties" in RSOP for verifying?
Regards,
Terry | My Blog: http://terrytlslau.tls1.cc
May 3rd, 2012 10:57pm
Hi,
Thank you for the post.
I test the audit policy on my computers and let me explain more about audit policy GP issue:
1. To KB921468, the override audit policy default value is enabled though it show not Defined. So please set it to Disabled.
2. The override audit policy works when you have not set any subcategory audit policies. You cannot set both category level and subcategory level audit policies since no category audit policies will work. So MS recommend to set subcategory audit policies via
group policy or startup script.
http://support.microsoft.com/kb/921469
3. To your scenario, it may some policy configured subcategory audit policies once and then remove the configuration. To find the policy, search audit.csv from
\\domain.com\sysvol folder. Then two solutions you could choose:
. Record the GPO ID, delete audit.csv file, run ADSI edit--Default naming context--DC--system--Policies--GPO ID--Properties--gPCMachineExtensionNames attribute--remove string [{F3CCC681-B74C-4060-9F26-CD84535DCA2A}{0F3F3735-573D-9804-99E4-B2A69BA5FD4}]
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/0486c801-8980-4afa-8fee-8cc1409c3ee2
. Record the GPO ID and settings, create new GPO with the same settings(not copy policy) and delete the old GPO
http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx
If there are more inquiries on this issue, please feel free to let us know.
RegardsRick Tan
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 4th, 2012 2:44am
"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings." - I have disabled this policy and executed gpupdate /force on member
server, Audit policies were applied on the member server.
Many thanks Rick and Terry. Thanks again for your time and assistance.
Thanks !
May 4th, 2012 3:10am
"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings." - I have disabled this policy and executed gpupdate /force on member
server, Audit policies were applied on the member server.
Many thanks Rick and Terry. Thanks again for your time and assistance.
Thanks !
Free Windows Admin Tool Kit Click here and download it now
May 4th, 2012 3:10am