Short version:
How do I apply subcategory audit policy settings programmatically or via command-line tools (i.e. auditpol.exe) that don't get overwritten by local security policy?
Long version:
I have a stand-alone Windows Server 2008 R2. When I use auditpol.exe or the AuditSetSystemPolicy API to set subcategory audit settings these changes take effect immediately. However on a reboot the settings are reset. I can see security event log entries indicating when I change the policy as well as the system resetting the policy on the restart.
I have seen a few articles indicating that Local Security Policy is not aware of these settings through its secedit.sdb database. That explains why the Local Security Policy snap-in does not accurately reflect the current resultant policy (RSoP). I did not expect Local Policy to overwrite these values on startup (and apparently every ~16 hours?).
In this blog post: Getting the Effective Audit Policy in Windows 7 and 2008 R2 (http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx) the author mentions Local Policy stomping on auditpol.exe settings in the context of RSoP.
Any help or insight into the behavior of Local Security Policy is greatly appreciated.
Thanks,
Don