none
Unable to migrate from legacy Audit policy to Advanced Audit Policy

    Question

  • Hello,

    Im' experiencing a weird issue when trying to implement an audit Policy based on Advanced Audit Policy on Domain COntrollers. The domain is a native Windows 2008 R2 domain/forest with a single legacy audit Policy (which works as expected) applied to domain controllers OU.

    This is what I did :

    - Create an Advanced Audit Policy GPO with all corresponding audit parameters (Windows/Security Settings/Advanced Audit Policy and Windows/Security Settings/Local Policies/Security Options/Other/Force audit Policy subcategory to Enabled) then link it to Domain Controllers OU. Give it a higher priority than legacy audit Policy.

    - Delete the link from the old audit Policy on Domain Controllers OU.

    - Start gpupdate /force and check with gpresult only the Advanced audit Policy is applied, while the old isn't anymore: yes and yes. Check the registry key for Force audit Policy subcategory : it's OK.

    I checked if audit.csv files had been created locally and on sysvol : this is OK too.

    There things start to be out of control.

    When executing gpresult /H %userprofile%\desktop\gpo.html, "Advanced Audit Configuration" category doesn't appear. However "Force audit Policy subcategory" appears inside the report.

    With auditpol /get /category:*, all audit Policy parameters are not updated and configured just like the legacy audit Policy.

    Tried auditpol /clear then gpupdate /force, all audit parameters are now set on "Not auditing".

    In Security log, no audit events are logged anymore after the command above.

    I tried a complete rollback with the legacy Policy, it worked instantly - audit events are back, after auditpol /clear then gpupdate /force all parameters are OK.

    It seems something is preventing Advanced audit Policy (but not legacy Policy) to be applied properly. I noticed a warning on Audit Policy Component Status after a modeling, but corresponding application events are non-existent. And it doesn't prevent legacy audit Policy to be applied anyway.

    Any ideas on where I should search next would be welcome (GPO logging ?)

    Regards,


    • Edited by Nebuly Wednesday, August 19, 2015 10:58 AM
    Wednesday, August 19, 2015 10:48 AM

All replies

  • Hi

    Thanks for your post.

    Can you re-verify the steps from below article.

    http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx

    And, please also check where a client actually stores audit policy may give you a clue (C:\Windows\system32\grouppolicy\machine\microsoft\windows nt\audit\audit.csv  and C:\Windows\security)

    You may also refer to the following articles:

    http://blogs.msdn.com/b/spatdsg/archive/2011/06/06/audit-policy-not-registering-audits.aspx

    Best Regards,

    Mary Dong

     

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 24, 2015 3:21 AM
    Moderator
  • Hello Mary,

    I followed these steps with no better results. From the Windowsupdate.log, it seems there is some kind of issue with Audit Policy CSE - which could explain the behavior I'm experiencing. Is there some kind of way to reset it ?

    Tuesday, August 25, 2015 7:12 AM
  • Hi,

    Thanks for your reply.

    Do you configure "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" to "Enabled"?

    As soon as you start applying Advanced Audit Configuration Policy, legacy policies will be completely ignored. The only way to get a Win7/R2 computer to start using legacy policy is to set the security policy  “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings” to DISABLED.

    And what's the specific error in the log?

    Best Regards,

    Mary Dong


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 26, 2015 2:13 AM
    Moderator
  • Hello,

    Here is what I get from Group Policy modeling :

    Component Status -> Audit Policy Configuration :

    Audit Policy Configuration failed due to the error listed below and failed to log resultant set of policy information.

    The system cannot find the file specified.

    Additional information may have been logged. Review the application event log on the domain controller on which the simulation was run for events between 27/08/2015 12:29:52 and 27/08/2015 12:29:52. -> no events are logged in Application log at this time.

    From GPSVC log :

    GPSVC(84.ca4) 12:40:50:926 ProcessGPOs: Processing extension Audit Policy Configuration
    GPSVC(84.ca4) 12:40:50:926 ReadStatus: Read Extension's Previous status successfully.
    GPSVC(84.ca4) 12:40:50:926 CheckForGPOsToRemove: GPO <WW_CFG_C_Audit_Policy> needs to be removed -> that's the legacy Audit Policy with currently unlinked
    GPSVC(84.ca4) 12:40:50:926 GetDeletedGPOList: Finished.
    GPSVC(84.ca4) 12:40:50:926 GPLockPolicySection: Sid = (null), dwTimeout = 30000, dwFlags = 0
    GPSVC(84.ca4) 12:40:50:926 LockPolicySection called for user <Machine>
    GPSVC(84.ca4) 12:40:50:926 Sync Lock Called
    GPSVC(84.ca4) 12:40:50:926 Writer Lock got immediately.
    GPSVC(84.ca4) 12:40:50:926 Lock taken successfully
    GPSVC(84.ca4) 12:40:50:926 ProcessGPOList: Entering for extension Audit Policy Configuration
    GPSVC(84.ca4) 12:40:50:926 ProcessGPOList: Passing in the force refresh flag to Extension Audit Policy Configuration
    GPSVC(84.ca4) 12:40:50:942 LogExtSessionStatus: Successfully logged Extension Session data
    GPSVC(84.ca4) 12:40:50:942 ProcessGPOList: Extension Audit Policy Configuration returned 0x8000000a.
    GPSVC(84.ca4) 12:40:50:942 UnLockPolicySection called for user <Machine>
    GPSVC(84.ca4) 12:40:50:942 UnLocked successfully
    GPSVC(84.ca4) 12:40:50:942 ProcessGPOs: Extension Audit Policy Configuration ProcessGroupPolicy returned e_pending.

    Hope this helps. Regards,

    Thursday, August 27, 2015 10:45 AM
  • I managed to get a bit more information on this issue : it only affects domain controllers, advanced audit Policy on member servers is being applied just fine.
    Monday, September 07, 2015 8:54 AM