This has been happening for a long time no matter whether my DCs were running Windows Server 2003 or, as they are now, are running Windows Server 2012 R2. It happens on DCs in one particular site, but the policy change it causes is domain-wide.

I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:

Default Domain Controllers Policy - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies/Audit Policy.

I have monitoring application relying on this policy being turned on, and if it's off, it's being reported. The monitoring application knows the change, but it doesn't know how the change was made.

All my DCs are running Windows Server 2012 R2, DFL 2008 R2.

Thanks and regards.

Hi,

>>I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:

Did we try to run command gpresult/h report.html with admin privileges to collect group policy result report to check how the policy setting was  applied after rebooting?  Besides, we can also try to run command auditpol /get / category:* from an elevated command prompt to check what audit settings are applied.

Best regards,
Frank Shen

In my original post, I missed the specific audit setting that's being changed or turned off. It didn't turn off everything, just "Audit directory service access".

I have DCs in 2 other sites; all DCs in all sites are applied with the same GPOs, but only this particular site's DCs do this.

Thanks and regards. - Tian