locked
Local Security Policy Reset to Default RRS feed

  • Question

  • I have a Windows 10 pro machine that i have manually set Local Settings, Audit Policy, to Success, Failure the with 'Local Group Policy Editor'. Every time I reboot these settings are changed. I have to manually go back in and set them all again. I am not on a domain. Is there something that is making these audit settings reset or is there a way to NOT have the settings reset?  (I am doing research that needs this high level of auditing on.)

    Steve


    • Edited by Steven S Thursday, April 13, 2017 3:21 PM
    Thursday, April 13, 2017 3:18 PM

Answers

  • Hi Steven S,

    Right click the registry key and choose "Permissions", "Advanced", "Auditing".


    Best regards

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 19, 2017 8:32 AM

All replies

  • Hi Steven S,

    What is the exact audit policy you have configured or you have configured all the audit policies?

    Try to disable the antivirus software temporarily.

    I tried to capture a registry key corresponding to "Audit object access" gpo.
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Storage\EnabledDenyGP\{53F56308-B6BF-11D0-94F2-00A0C91EFB8B}]
    We could audit this registry key to capture the culprit who deleted it.

    Best regards

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 14, 2017 3:02 AM
  • I am setting all the Audit Policy in the Local Policies to Success, Failure.

    Policy                                               Security Setting

    Audit account logon events                 Success, Failure

    Audit account management                 Success, Failure

    9 of them.

    How do you audit a registry key to capture it?

    Thanks.


    SteveS

    Tuesday, April 18, 2017 6:06 PM
  • Hi Steven S,

    Right click the registry key and choose "Permissions", "Advanced", "Auditing".


    Best regards

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 19, 2017 8:32 AM