none
Audit Policy Not Applying Completely

    Question

  • I have a Server 2008 R2 machine that is receiving it's Advanced Audit Policy settings from a GPO. Not all of the settings are being applied. Most apply correctly, but there are some items that do not. I tried setting the *missing* items using Local Policy, and they still did not show up. If I use auditpol /set... it works. Why would certain settings not be applied via GPO? I have tried with the Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" set to enabled and disabled. If I have this setting set to enabled and clear the audit policy (auditpol /clear), the policy settings from the GPO do not apply AT ALL even though they are Advanced settings. I have to set the policy setting to disabled, then run gpupdate to get the policy settings to reapply.

    Missing Settings

    Process Creation - Success

    Audit Policy Change - Failure

    Sensitive Privilege Use - Success

    IPsec Driver - Failure

    Security State Change - Failure

    Security System Extension - Failure

    System Integrity - Failure

    Advanced Audit Settings from GPO

    Account Logon

    Audit Credential Validation Success, Failure

     

    Account Management

    Audit Computer Account Management Success, Failure

    Audit Other Account Management Events Success, Failure

    Audit Security Group Management Success, Failure

    Audit User Account Management Success, Failure

     

    Detailed Tracking

    Audit Process Creation Success

     

    Logon/Logoff

    Audit Logoff Success

    Audit Logon Success, Failure

    Audit Special Logon Success

     

    Object Access

    Audit File System Failure

    Audit Handle Manipulation Failure

    Audit Registry Failure

     

    Policy Change

    Audit Audit Policy Change Success, Failure

    Audit Authentication Policy Change Success

     

    Privilege Use

    Audit Sensitive Privilege Use Success, Failure

     

    System

    Audit IPsec Driver Success, Failure

    Audit Security State Change Success, Failure

    Audit Security System Extension Success, Failure

    Audit System Integrity Success, Failure

     

    Global Object Access Auditing : File

    Failure Everyone Full Control 

     

    Global Object Access Auditing : Registry

    Failure Everyone Full control

    Result of auditpol /get /category:*

    System audit policy

    Category/Subcategory                      Setting

    System

      Security System Extension               Success

      System Integrity                        Success

      IPsec Driver                            Success

      Other System Events                     Success

      Security State Change                   Success

    Logon/Logoff

      Logon                                   Success and Failure

      Logoff                                  Success and Failure

      Account Lockout                         Success and Failure

      IPsec Main Mode                         Success and Failure

      IPsec Quick Mode                        Success and Failure

      IPsec Extended Mode                     Success and Failure

      Special Logon                           Success and Failure

      Other Logon/Logoff Events               Success and Failure

      Network Policy Server                   Success and Failure

    Object Access

      File System                             Failure

      Registry                                Failure

      Kernel Object                           Failure

      SAM                                     Failure

      Certification Services                  Failure

      Application Generated                   Failure

      Handle Manipulation                     Failure

      File Share                              Failure

      Filtering Platform Packet Drop          Failure

      Filtering Platform Connection           Failure

      Other Object Access Events              Failure

      Detailed File Share                     Failure

    Privilege Use

      Sensitive Privilege Use                 Failure

      Non Sensitive Privilege Use             Failure

      Other Privilege Use Events              Failure

    Detailed Tracking

      Process Termination                     No Auditing

      DPAPI Activity                          No Auditing

      RPC Events                              No Auditing

      Process Creation                        No Auditing

    Policy Change

      Audit Policy Change                     Success

      Authentication Policy Change            Success

      Authorization Policy Change             Success

      MPSSVC Rule-Level Policy Change         Success

      Filtering Platform Policy Change        Success

      Other Policy Change Events              Success

    Account Management

      User Account Management                 Success and Failure

      Computer Account Management             Success and Failure

      Security Group Management               Success and Failure

      Distribution Group Management           Success and Failure

      Application Group Management            Success and Failure

      Other Account Management Events         Success and Failure

    DS Access

      Directory Service Changes               No Auditing

      Directory Service Replication           No Auditing

      Detailed Directory Service Replication  No Auditing

      Directory Service Access                No Auditing

    Account Logon

      Kerberos Service Ticket Operations      Success and Failure

      Other Account Logon Events              Success and Failure

      Kerberos Authentication Service         Success and Failure

      Credential Validation                   Success and Failure

    Content of C:\Windows\Security\audit\audit.csv

    Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value
    ,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3
    ,System,Audit Computer Account Management,{0cce9236-69ae-11d9-bed3-505054503030},Success and Failure,,3
    ,System,Audit Other Account Management Events,{0cce923a-69ae-11d9-bed3-505054503030},Success and Failure,,3
    ,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success and Failure,,3
    ,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3
    ,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success,,1
    ,System,Audit Logoff,{0cce9216-69ae-11d9-bed3-505054503030},Success,,1
    ,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3
    ,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success,,1
    ,System,Audit File System,{0cce921d-69ae-11d9-bed3-505054503030},Failure,,2
    ,System,Audit Handle Manipulation,{0cce9223-69ae-11d9-bed3-505054503030},Failure,,2
    ,System,Audit Registry,{0cce921e-69ae-11d9-bed3-505054503030},Failure,,2
    ,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success and Failure,,3
    ,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success,,1
    ,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3
    ,System,Audit IPsec Driver,{0cce9213-69ae-11d9-bed3-505054503030},Success and Failure,,3
    ,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success and Failure,,3
    ,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success and Failure,,3
    ,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3
    ,,FileGlobalSacl,,,,S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
    ,,RegistryGlobalSacl,,,,S:(AU;FA;KA;;;WD)
    ,System,Audit Credential Validation,,Success and Failure,,3
    ,System,Audit Computer Account Management,,Success and Failure,,3
    ,System,Audit Other Account Management Events,,Success and Failure,,3
    ,System,Audit Security Group Management,,Success and Failure,,3
    ,System,Audit User Account Management,,Success and Failure,,3
    ,System,Audit Process Creation,,Success,,1
    ,System,Audit Logoff,,Success,,1
    ,System,Audit Logon,,Success and Failure,,3
    ,System,Audit Special Logon,,Success,,1
    ,System,Audit File System,,Failure,,2
    ,System,Audit Registry,,Failure,,2
    ,System,Audit Audit Policy Change,,Success and Failure,,3
    ,System,Audit Authentication Policy Change,,Success,,1
    ,System,Audit Sensitive Privilege Use,,Success and Failure,,3
    ,System,Audit IPsec Driver,,Success and Failure,,3
    ,System,Audit Security State Change,,Success and Failure,,3
    ,System,Audit Security System Extension,,Success and Failure,,3
    ,System,Audit System Integrity,,Success and Failure,,3

    Thursday, January 28, 2016 12:47 AM

All replies

  • Content of C:\Windows\Security\audit\audit.csv

    The domain-based policy settings are in an audit.csv in SYSVOL and that is never stored locally to the computer. You should check this location instead:
     
    \\domain-fqdn\SYSVOL\domain-fqdn\Policies\{your-policy-id-where-this-setting-was-originally-set}\Machine\Microsoft\Windows NT\Audit
     
    Try to delete the audit.csv file from the path above, ran auditpol /clear and gpupdate /force, then verify the result.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Friday, January 29, 2016 7:29 AM
    Moderator
  • Thanks for the reply. The files are identical, so I didn't post the sysvol file in my original post. Also, deleting the file does nothing. Good thought though. This happens on all of my 2008 R2 servers.
    Friday, January 29, 2016 3:46 PM
  • To make sure the problem was not environmental, I stood up a brand new environment using nothing but the Server 2008 R2 install CD and online Windows Update. I stood up two machines, a domain controller and a member server. I then created a simple GPO with the same audit settings I was having problems with. By default, the GPO is applied to Authenticated Users, but we are applying the GPO to a security group containing the machines in question rather than the default Authenticated Users. To simulate this, I created a security group in the test environment and restricted the GPO to that security group.

    After linking the GPO to the OU containing the test server I stood up, I checked the audit policy using auditpol /get /category:* and many of the settings did not apply. Interesting. Also, after running the command auditpol /clear, the audit policy would not reapply no matter what I did.

    So after thinking about it over the weekend, I changed the policy to apply to Authenticated Users instead of the security group. As soon as I did that, all of the policies started applying correctly!

    There appears to be some bug in Server 2008 R2 that is preventing the policy from being applied when the policy is restricted to a security group (it works fine in Server 2012 / 2012 R2), but I have no idea how to proceed with reporting these findings or getting a resolution to the problem. Can anyone validate my findings? Does anyone know how to proceed from here? Thanks.

    Monday, February 01, 2016 5:17 PM
  • Can anyone validate my findings? Does anyone know how to proceed from here? Thanks.

    Hi,
     
    I will try to build an environment and test this on my end. Will get back to you once done.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, February 02, 2016 9:49 AM
    Moderator
  • There appears to be some bug in Server 2008 R2 that is preventing the policy from being applied when the policy is restricted to a security group (it works fine in Server 2012 / 2012 R2), but I have no idea how to proceed with reporting these findings or getting a resolution to the problem. Can anyone validate my findings? Does anyone know how to proceed from here? Thanks.

    This seems work fine on my side. Does this only happen with specific audit settings mentioned abvoe?

    Run the command on a domain controler instead and see if it works. Also, check if there is anything error with your AD env.
    Wednesday, February 03, 2016 8:34 AM
  • This seems work fine on my side. Does this only happen with specific audit settings mentioned abvoe?

    Run the command on a domain controler instead and see if it works. Also, check if there is anything error with your AD env.

    So this happens in multiple environments. Like I said, I was able to reproduce the problem in a brand new environment. Perhaps you could provide additional details such as what your Advanced Audit Policy configuration is, how you are applying it, and what the actual results are using auditpol. I provided pretty specific information on how to produce the problem. I'm not sure your scenario is the same.

    Also, running the command on a domain controller isn't how you get the applied audit policy on a member server. Despite this fact, I can tell you the problem exists on both domain controllers and member servers. It has to do with the GPO being filtered to a security group rather than being applied to Authenticated Users.



    • Edited by dpmoody Wednesday, February 03, 2016 9:20 PM
    Wednesday, February 03, 2016 9:14 PM