none
Audit Policy / Advanced Audit Policy Configuration Confusion...

    Question

  • Hey guys,

    I've a quick question. I'm viewing the GP configuration set by another engineer and trying to understand why they have configured auditing in GP in this manner. 

    Within the Auditing GPO, they have all "local policies > audit policies" defined (success / failure). But then they also have "Audit: Force audit policy subcategory settings (Windows Vita or later) to override audit policy category settings" enabled which to my understanding activates / enables "advanced audit policy configuration" which overrides standard "local policies > audit policies" and any configuration defined within (for Win 7 / server 2008 R2 systems). BUT they've then not configured / defined any categories / subcategories within "advanced audit policy configuration" - they are all "not configured". 

    I'm a little confused by this. Why would someone do this? Would this configuration result in the enabled / defined "local policies > audit policies" taking precedence OR as "advanced audit policy configuration" is enabled, would the "default" settings for each "not configured" category / subcategory taken precedence (I'm thinking this is the case and I can remove the "local policies > audit policies" configuration as we've no systems older than Win7 / 2008 R2)? 

    I hope that makes sense! Any help greatly appreciated.

    Thanks guys.


    M Tipler


    • Edited by Mattyt123321 Wednesday, February 3, 2016 9:42 AM
    Tuesday, February 2, 2016 10:36 AM

Answers

  • Hi,

    Yes, your understanding is right. legacy audit settings can be applied to all Windows versions, the advanced audit settings can be applied only to Windows Vista and above, and Windows 2008 and above. Implementing both the legacy and advanced audit policy settings will cause unexpected outcomes due to conflicts between similar settings in the two groups of policy settings. Enabling the Audit: Force audit policy subcategory settings (Windows Vista or later) will ensure the legacy audit settings are ignored. In other words, If this option is checked, legacy Audit policies (pre-vista) will not be applied and must be set under Advanced Audit Policy Configuration.

    In my opinion, this configuration does not make any sense. In our case, all Advanced Audit Policy sub-categories are not configured and there are no systems older than Win7 / 2008 R2, you could refer to the following steps to reconfigure the audit policy settings:

    1. Delete all audit.csv files from the %SYSVOL% folder on the domain controller.

    2. Reconfigure and apply the basic audit policy settings/ Advanced policy settings. Actually, you could only configure advanced policy settings.

    More article for your reference:

    Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings

    https://technet.microsoft.com/en-us/library/dd772710%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Getting the Effective Audit Policy in Windows 7 and 2008 R2

    http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Mattyt123321 Friday, February 5, 2016 9:49 AM
    Wednesday, February 3, 2016 7:52 AM
    Moderator

All replies

  • Hi,

    Yes, your understanding is right. legacy audit settings can be applied to all Windows versions, the advanced audit settings can be applied only to Windows Vista and above, and Windows 2008 and above. Implementing both the legacy and advanced audit policy settings will cause unexpected outcomes due to conflicts between similar settings in the two groups of policy settings. Enabling the Audit: Force audit policy subcategory settings (Windows Vista or later) will ensure the legacy audit settings are ignored. In other words, If this option is checked, legacy Audit policies (pre-vista) will not be applied and must be set under Advanced Audit Policy Configuration.

    In my opinion, this configuration does not make any sense. In our case, all Advanced Audit Policy sub-categories are not configured and there are no systems older than Win7 / 2008 R2, you could refer to the following steps to reconfigure the audit policy settings:

    1. Delete all audit.csv files from the %SYSVOL% folder on the domain controller.

    2. Reconfigure and apply the basic audit policy settings/ Advanced policy settings. Actually, you could only configure advanced policy settings.

    More article for your reference:

    Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings

    https://technet.microsoft.com/en-us/library/dd772710%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Getting the Effective Audit Policy in Windows 7 and 2008 R2

    http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Mattyt123321 Friday, February 5, 2016 9:49 AM
    Wednesday, February 3, 2016 7:52 AM
    Moderator
  • Hi Alvwan,

    Thank you very much for taking the time to respond to my question.

    That was extremely helpful! 

    Many thanks once again!

    Regards. 


    M Tipler

    Friday, February 5, 2016 9:49 AM
  • Hi,

    I am glad to hear that the information is helpful to you. If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 8, 2016 3:52 AM
    Moderator