I have W2K8 R2 server. Using GPO's, I have set the Local Policies settings to what I need them to be. If I logon to the server and check the Local Security Policy settings I see that all of the Audit Policy settings show as "No auditing". If I run "gpupdate /force" and reopen the Local Security Policy those settings now show the settings that I had applided via the GPO. If I re-boot the server those settings go back to "No auditing". I thought that it might be just a display issue but when I tested the settings and when they are showing "No auditing" I don't see any Success and/or Failures. If I run gpupdate /force and verify the settings to be correct and then test the settings and I see Success and/or Failures being recorded. Running GPRESULT / RSOP shows the settings should be applied from the GPO. I don't have this issue with Windows Server 2003 servers. Am I missing something? Is this a bug in W2K8 R2? We have 28 W2K8 R2 servers and they are all behaving the same, even in different Forest/Domains. Any assitance is appreicated. Raffi

Hi Raffi, i'm facing the same problem: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/dd8e4254-f8e8-4d85-b04b-46034eb71db7 I've got two server - member of the same ou in our forest - where i set the audit policy. One of them lost the setting to "No Auditing" after a few hours. On the other server (both 2008 R2) the policy stays ... br libbe

guys, I wouldn't rely on SECPOL.MSC looking at audit policy on R2. Just go into command line and try AUDITPOL /list /category and AUDITPOL /get /category:"..." and you should see the real results. There is actually the granular auditing technology, which means I wouldn't trust the old auditing settings view. ondrej.

Ondrej, I don't think you get it. Where can you view/set secpol in 2008 r2? Peta

Hello Libbe, I was able to resolve my mystery issue with audti policies not sticking. In my case I was using the Security Confiugration Manager to work with the GPO templates that Microsoft provides. I had made a copy of one of the GPO templates. After a long frustrating period of trying to figure out what the heck is going on I found out the the GPO templates have a "Startup" script (.cmd) file that contains, in addition to other settings, "Audit Policy" settings. That explains why your Audit Policy settings change/disappear after 90-120 minutes (GPO refresh cycle). Or if you did a GPUPDATE /force then they would change/disappear immediately. I do recommend that you use the AUDITPOL utility as recommended by ondrej above. So, your option is to remove the startup script or modify the script (the audit policy section) to what you want it to do. In my case I removed the startup script and modified the GPO (Advanced Policy settings section) to what I wanted/needed. Good luck and hope this helps. Raffi