After looking over many, many articles on setting GPO auditing I'm now about bald.

Here's what I got; 5 DCs one is 2k8 the rest 2k8R2. I'm at forest level 2k8 and single domain.

When I set local auditing (example; Logon (success/fail)) using GPO only the 2k8 DC will retain the settings. All other DCs revert to "no auditing" after logging off or reboot. When I run auditpol /get /category:* All settings reflect no auditing on all 2k8R2 DCs but when run on the 2k8 it works correctly.

I've tried setting the "Audit: Force audit policy subcategory settings" to disable and that didn't help either.

I've read where someone deleted "all" of the audit.csv files on the DC to resolve this but I'm hesitant to do that. I really need to get this resolved quickly as our firewall authentication relies on the security log showing logons/logoffs.

Thanks. Richard.

  > After looking over many, many articles on setting GPO auditing I'm now > about bald.   This one, too? http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx  

Hi Richard,

How is the issue going? Is the blog provided by Martin helpful? If not, please don't hesitate to let us know, and please share the current progress of the issue with us.

Best regards,
Frank Shen

• Edited by Frank Shen5Microsoft contingent staff, Moderator Monday, July 28, 2014 6:17 AM

To audit group policy try the following:

Run GPMC.msc > open Default Domain Controllers Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access > Audit directory service changes >  Define > Success

Then look for these events in Security event log:

5136  A directory service object was modified

5137   A directory service object was created

5141   A directory service object was deleted

 Also you can checkout the following topic:

http://social.technet.microsoft.com/wiki/contents/articles/3862.scom-monitoring-gpo-changes-using-scom-and-powershell.aspx