none
Audit policy being overwritten by “something”

    Question

  • Hello

    We have three DCs in our environment. one of our applications uses the logon events stored on DCs to authorize users. we have a GPO dedicated for domain controllers OU and audit policy is set to log success and failure logon events. the problem is that in event viewer there is not the logon event that I know it should be!(logon type 2- event id 4624) I checked in all DCs and could not find that logon event. In secpol.msc default should be logging success but the failure is checked and grayed out. In secuirty option "Audit:Force audit policy subcategory settings (win vista or later) to override audit policy category settings" is set to disabled. when I change it to enabled, in RSOP on the audit policy Red circles appears. (In RSOP I can see the policy applied to log success and failure.)

    my first question is why logs are not working properly (some times only failures and some times non of them) and the second question is what config for my porpuse is true? (Audit:Force audit policy subcategory... should be disabled or enabled?)

    thanks in advance






    Tuesday, August 04, 2015 5:39 AM

Answers

  • I solved the problem.

    I couldn't find what was wrong in my configurations but the problem solved and audit logon events are generating after enabling audit from "Advanced Audit Policy Configuration" under Security option in GPMC. 

    • Proposed as answer by Lepide Thursday, August 06, 2015 11:15 AM
    • Marked as answer by Elaine JingModerator Monday, August 10, 2015 11:51 AM
    Thursday, August 06, 2015 4:29 AM

All replies

  •  I found something: I changed the GPO Audit to not defined, then in secpol changed audit to success and failure by check mark. now by gpupdate /force I see secpol returns to just failure ( uncheks the success ). that means one policy some where is overriding this setting. but where? in RSOP I see nothin related! My all DCs are 2008R2 and this happens in all of them.
    Tuesday, August 04, 2015 12:35 PM
  • I solved the problem.

    I couldn't find what was wrong in my configurations but the problem solved and audit logon events are generating after enabling audit from "Advanced Audit Policy Configuration" under Security option in GPMC. 

    • Proposed as answer by Lepide Thursday, August 06, 2015 11:15 AM
    • Marked as answer by Elaine JingModerator Monday, August 10, 2015 11:51 AM
    Thursday, August 06, 2015 4:29 AM