none
Global Object Access Auditing Not Applied To Standalone Computer

    Întrebare

  • On a standalone Windows 7 SP1 computer, LocalGPO.wsf applies audit policy and reports "Applied valid Audit Policy CSV from ...".

    Everything looks fine, but our testing reveals that "Global Object Access Auditing" (for the file system) isn't active, even after a reboot. (We are auditing for various file system access failures.)

    Here is the strange thing... if we simply run gpedit.msc, edit the "Global Object Access Auditing" for the file system, and save the configuration, it starts working immediately. We don't even need to make any changes... just opening it up and closing it (via gpedit.msc) seems to fix the problem.

    Why? What operation is being performed by the group policy editor that isn't accomplished by localgpo.wsf? Very strange, indeed. Our workaround is to manually open/close the "Global Object Access Auditing" after running localgpo.wsf, but obviously we are trying to automate our group policies and needing to use gpedit.msc is troublesome.

    20 februarie 2012 00:20

Toate mesajele

  • Aero;

    would you mind placing the GPO backup in a ZIP archive, then renaming the file to something like GPO.rename and emailing it to use at secwish@microsoft.com? Please be sure to reference this forum thread in your message too.

    thanks!

    Kurt


    Kurt Dillard http://www.kurtdillard.com

    20 februarie 2012 18:02
    Proprietar
  • Sent.

    This behavior can be easily demonstrated.

    1. Clear all advanced audit policy settings. (Or use a "clean" install of Windows 7.)

    auditpol /clear /y
    auditpol /resourcesacl /type:File /clear
    auditpol /resourcesacl /type:Key /clear

    2. Apply the GPO via localgpo.wsf and restart the computer.

    3. Attempt to delete folder Windows\addins. Click no at UAC prompt. Observe that no Audit Failure event appears in the Security log (Event Viewer).

    4. Start gpedit.msc. Navigate to Computer Configuration, Windows Settings, Security Settings, Advanced Audit Policy Configuration, System Audit Policies - Local Group Policy Object,  Global Object Access Auditing, File system. Click on Configure. Click on Edit. Click on OK 3 times to close windows.

    5. Attempt to delete folder Windows\addins. Click no at UAC prompt. Observe that 2 Audit Failure events (Event ID 4656) now appear in the Security log (Event Viewer). (Refresh view if they don't appear immediately.)

    Again, for some reason, localgpo.wsf doesn't seem to fully apply adavanced audit policy. You have to run gpedit.msc to activate audit policy defined in the GPO. Why?

    Thanks for your support.

    20 februarie 2012 19:34
  • Aerospace,

    thanks for your detailed posts. The simplest way to ensure that the audit policies (and everything else you change in the local GPO) is to enter "GPUpdate /force" at a command prompt with admin privileges, then restart.

    regards,

    Kurt


    Kurt Dillard http://www.kurtdillard.com

    21 februarie 2012 17:01
    Proprietar
  • GPUpdate /force definitely refreshes the policy, and works to correct this issue, but only when using LocalGPO on domain-joined computers.

    We have identified a small error in LocalGPO that causes some of the object auditing settings to not apply properly... this has been corrected in LocalGPO 2.5 which will be included in the upcoming release of SCM 2.5.

    Many thanks to Aero.Space for spotting and helping us fix this bug!

    22 februarie 2012 20:19