The situation is this
After enabling Advance Audit Policy on the Domain Controllers OU, one of the DCs does not apply the Domain Controllers Audit Policy (every other DCs in the OU does it) and after a quick check, doesn’t apply the Domain Audit policy neither
We have tried already:
- Disabling the Advance Audit policy and return to the Basic Audit with no results
- Deleting Audit.csv files to “refresh” the Audit settings, after Auditpol /clear, with no results
- Stick with the Advacne Audit policy, and force the subcategory settings on the trouble server performing a Auditpol /restore from one of the functioning servers.
After the attempt 3, the trouble server took the correct subcategory audit configuration but it “seems” to be “offline”, as when performing any change to the Advance Audit settings from the GPO interface , the change doesn’t replicate in the trouble Server.
According to gpresult, the trouble server has not Advance audit policy enabled, when the Advance Audit policy in the Domain Controllers OU is enabled by the DC Audit policy.
Now, another strange thing is, when accessing the local policies (gpedit.msc), the Basic audit local policy is configured as it was in an older version of the Domain Audit policy and cannot be change by any means.
Any idea what else I can do to bring this server from its “offline” Audit Status?
Thanks in advance
PS: I have already applied a lot of suggestions already posted in this forum with no results.
- Edited by S. Nicolazzi Tuesday, July 30, 2013 4:18 PM
Enable active directory auditing once it would be enable you can monitor the changes as they are registered in security logs of your Domain Controller Follow the link below :
AD DS Auditing Step by Step Guide if the problem persist you can move towards any auditing solution like this
Thanks for you answer Chris.
I have already follow the Step by Step Guide (witch I have follow to activate Advance Audit Policy in the first pleace) and the problem persists, only in one DC.
At this moment, installing a new audit tool is not possible.