none
Audit Policies are not being applied !

    Question

  • Hi,

    The audit polices have been set in a GPO that is applied to our 2008 R2 servers but they are not reflecting in local security policy. 

    I referred article : http://support.microsoft.com/kb/921468 but in vain.

    I enforced this policy but no luck.

    In local GPO, I can see policy is enforced however values are not set. How do I enable these settings ?

     

    GPO has following configured

    When try auditpol /get command, I get following message

    C:\Windows\System32>auditpol.exe /get
    Error 0x00000057 occurred:
    The parameter is incorrect.

    Usage: AuditPol command [<sub-command><options>]


    Commands (only one command permitted per execution)
      /?               Help (context-sensitive)
      /get             Displays the current audit policy.
      /set             Sets the audit policy.
      /list            Displays selectable policy elements.
      /backup          Saves the audit policy to a file.
      /restore         Restores the audit policy from a file.
      /clear           Clears the audit policy.
      /remove          Removes the per-user audit policy for a user account.
      /resourceSACL    Configure global resource SACLs


    Use AuditPol <command> /? for details on each command



    Thanks !


    mercredi 2 mai 2012 23:25

Réponses

Toutes les réponses

  • Hi,

    Is the GPO assigned to the OU which contains all the 2008 R2 servers?

    Do you apply any filter for this GPO?

    Because there is no parameter for "auditpol.exe /get", it shows 'The parameter is incorrect".

    For more information:

    Auditpol get

    http://technet.microsoft.com/en-us/library/cc772576(v=ws.10).aspx

    Regards, Terry | My Blog: http://terrytlslau.tls1.cc

    jeudi 3 mai 2012 04:14
  • Hello Terry,

    Is the GPO assigned to the OU which contains all the 2008 R2 servers? Yes

    Do you apply any filter for this GPO? No filter has been applied

    Strange part is, apart from Audit policies, all other policies were applied. for testing, I even modified few policies in GPO and they are found to be working fine.

    I can't figure out, why Audit policies were not applied .

    Here is the output of command auditpol /get /category:*

    ============================================

    System audit policy

    Category/Subcategory                      Setting
    System
      Security System Extension               No Auditing

      System Integrity                        No Auditing

      IPsec Driver                            No Auditing

      Other System Events                     No Auditing

      Security State Change                   No Auditing

    Logon/Logoff
      Logon                                   No Auditing

      Logoff                                  No Auditing

      Account Lockout                         No Auditing

      IPsec Main Mode                         No Auditing

      IPsec Quick Mode                        No Auditing

      IPsec Extended Mode                     No Auditing

      Special Logon                           No Auditing

      Other Logon/Logoff Events               No Auditing

      Network Policy Server                   No Auditing

    Object Access
      File System                             No Auditing

      Registry                                No Auditing

      Kernel Object                           No Auditing

      SAM                                     No Auditing

      Certification Services                  No Auditing

      Application Generated                   No Auditing

      Handle Manipulation                     No Auditing

      File Share                              No Auditing

      Filtering Platform Packet Drop          No Auditing

      Filtering Platform Connection           No Auditing

      Other Object Access Events              No Auditing

      Detailed File Share                     No Auditing

    Privilege Use
      Sensitive Privilege Use                 No Auditing

      Non Sensitive Privilege Use             No Auditing

      Other Privilege Use Events              No Auditing

    Detailed Tracking
      Process Termination                     No Auditing

      DPAPI Activity                          No Auditing

      RPC Events                              No Auditing

      Process Creation                        No Auditing

    Policy Change
      Audit Policy Change                     No Auditing

      Authentication Policy Change            No Auditing

      Authorization Policy Change             No Auditing

      MPSSVC Rule-Level Policy Change         No Auditing

      Filtering Platform Policy Change        No Auditing

      Other Policy Change Events              No Auditing

    Account Management
      User Account Management                 No Auditing

      Computer Account Management             No Auditing

      Security Group Management               No Auditing

      Distribution Group Management           No Auditing

      Application Group Management            No Auditing

      Other Account Management Events         No Auditing

    DS Access
      Directory Service Changes               No Auditing

      Directory Service Replication           No Auditing

      Detailed Directory Service Replication  No Auditing

      Directory Service Access                No Auditing

    Account Logon
      Kerberos Service Ticket Operations      No Auditing

      Other Account Logon Events              No Auditing

      Kerberos Authentication Service         No Auditing

      Credential Validation                   No Auditing

    ============================================

    Here is the snapshot of RSOP


    Thanks !

    jeudi 3 mai 2012 21:20
  • Hi,

    Could you take a snapshot of "Computer Configuration properties" in RSOP for verifying?

    Regards, Terry | My Blog: http://terrytlslau.tls1.cc

    vendredi 4 mai 2012 02:57
  • Hi,

    Thank you for the post.

    I test the audit policy on my computers and let me explain more about audit policy GP issue:
    1. To KB921468, the override audit policy default value is enabled though it show not Defined. So please set it to Disabled.
    2. The override audit policy works when you have not set any subcategory audit policies. You cannot set both category level and subcategory level audit policies since no category audit policies will work. So MS recommend to set subcategory audit policies via group policy or startup script.
    http://support.microsoft.com/kb/921469
    3. To your scenario, it may some policy configured subcategory audit policies once and then remove the configuration. To find the policy, search audit.csv from \\domain.com\sysvol folder. Then two solutions you could choose:
    . Record the GPO ID, delete audit.csv file, run ADSI edit--Default naming context--DC--system--Policies--GPO ID--Properties--gPCMachineExtensionNames attribute--remove string [{F3CCC681-B74C-4060-9F26-CD84535DCA2A}{0F3F3735-573D-9804-99E4-B2A69BA5FD4}]
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/0486c801-8980-4afa-8fee-8cc1409c3ee2
    . Record the GPO ID and settings, create new GPO with the same settings(not copy policy) and delete the old GPO
    http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx
     
    If there are more inquiries on this issue, please feel free to let us know.

    Regards


    Rick Tan

    TechNet Community Support

    • Marqué comme réponse Jayawardhane vendredi 4 mai 2012 07:10
    vendredi 4 mai 2012 06:44
  • "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings." - I have disabled this policy and executed gpupdate /force on member server, Audit policies were applied on the member server.

    Many thanks Rick and Terry. Thanks again for your time and assistance.


    Thanks !

    vendredi 4 mai 2012 07:10