none
Reboot domain controller changes audit policy on Default Domain Controller Policy

    Question

  • This has been happening for a long time no matter whether my DCs were running Windows Server 2003 or, as they are now, are running Windows Server 2012 R2. It happens on DCs in one particular site, but the policy change it causes is domain-wide.

    I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:

    Default Domain Controllers Policy - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies/Audit Policy.

    I have monitoring application relying on this policy being turned on, and if it's off, it's being reported. The monitoring application knows the change, but it doesn't know how the change was made.

    All my DCs are running Windows Server 2012 R2, DFL 2008 R2.

    Thanks and regards.

    Tuesday, April 21, 2015 3:37 AM

All replies

  • Hi,

    >>I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:

    Did we try to run command gpresult/h report.html with admin privileges to collect group policy result report to check how the policy setting was  applied after rebooting?  Besides, we can also try to run command auditpol /get / category:* from an elevated command prompt to check what audit settings are applied.

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, April 22, 2015 1:38 AM
    Moderator
  • In my original post, I missed the specific audit setting that's being changed or turned off. It didn't turn off everything, just "Audit directory service access".

    I have DCs in 2 other sites; all DCs in all sites are applied with the same GPOs, but only this particular site's DCs do this.

    Thanks and regards. - Tian

    Wednesday, April 22, 2015 3:59 AM
  • Did you ever find a solution to this? I have the same thing happening.
    Wednesday, May 18, 2016 8:31 PM
  • No, I haven't. It's still a mystery.
    Wednesday, May 18, 2016 8:45 PM
  • Very strange. I guess I will open an SR with Microsoft. I will let you know what they find.
    Thursday, May 19, 2016 12:35 AM