local Audit setting can't be applied to W2k8R2 using the LocalGPO tools ? RRS feed

  • Question

  • I find if I use the  LocalGPO.wsf to import a security baseline CAB defined from the Security compliance manager, those local audit setting will be reset to no auditing, and the import setting will go to the Audit Settings in “Advanced Audit Policy Configuration instead of the local Policy


    Anyone know why it the Audit setting won’t go to the local audit policy section ?


    Steps to repro


    1)      In a machine, duplicate a baseline base on the WS08R2-EC-Member-Server 1.0 template

    2)      Set the audit policy, ie. \local Policies\Audit policy\Audit logon Event to Success, save it

    3)      Select publish, and create a GPO backup, copy it to the new setup Win2k8 R2 machine

    4)      In the a new setup Win2k8 R2 machine, install the local policy msi

    5)      Run the local policy com as a admin

    6)      LocalGPO.wsf /Path:"X:\Sources\LGPO\HKEX_Win7\{b7f38124-7779-406c-8694-5db71d1eab55}”

     In this step, I can see that “the autdit settings have been applied from the audit.csv” file.  


    7)      Reboot the machine

    8)      Open the local policy editor, found the audit policy did not change

    there’s no Audit Settings under “Local Policies -> Audit Policy”:. However, I find the Audit Settings are set to the “Advanced Audit Policy Configuration”:




    Monday, April 18, 2011 5:05 PM

All replies

  • You should stick with Advanced Audit Policy settings on WS08-R2... there are many reasons legacy audit policy settings are disabled by default on Win7/R2. See the Advanced Audit Policy section in the WS08-R2 security guide included with the baseline in SCM. Using legacy audit policies on WS08-R2 goes against all auditing best practices.

    That said, when you apply the EC baseline exported from SCM, LocalGPO runs AuditPol.exe to apply the “Advanced Audit CSV” file it includes, and all of the legacy audit policies are reset to the default No Auditing. This is by design… it occurs because the CSV file included in the exported baseline does not contain the following line:


    This line is added to an Advanced Audit Policy backup csv file when the “Audit: Force audit policy…” setting is disabled (this setting must be disabled in GPEdit for Legacy Audit Policy to work at all on WS08-R2), and AuditPol.exe is used to backup the Advanced Audit Policy. If this line is not in the audit.csv file, AuditPol.exe configures the Advanced Audit Policy as specified in the file, and resets the Legacy Audit Policy to the default No Auditing.

    To use the current versions of SCM and LocalGPO in your scenario, the required steps are as follows:

    1.       Customize the desired baseline in SCM and export to GPO backup
    2.       Apply the GPO to local policy using LocalGPO tool (legacy settings are ignored)
    3.       Modify Local Policy as required (i.e. configure legacy audit policy… make sure “Audit: Force audit policy..” is disabled, etc)
    4.       Use LocalGPO to export the modified Local Policy to GPO backup

    The resulting GPO backup can be used with LocalGPO to configure both the legacy and advanced audit policies on other computers. The GPO backup can also be imported into a GPO.

    Another approach would be to modify the audit.csv with the line specified above, or to simply delete the Audit.csv from the exported GPO backup (this will prevent the GPO backup from importing into a GPO).

    Hope this helps!

    Tuesday, April 19, 2011 7:11 PM