none
Advanced Auditing

    Question

  • First things first.  I am NOT trying to go back to category level auditing. I am trying to get my Advanced Auditing polices to apply.

    I am attempting to get this Advance Auditing policy to apply to a Windows 2008 R2 member server.  

    I have a group policy configured which has Advanced Auditing enabled (Success and Failure) for various policies.  I have the group policy applied to the appropriate users group and I have the policy linked to the correct OU.  running "gpresult /scope computer /R" on the server shows that the policy is applied to the computer, but when I run "auditpol /get category:*" all policies come back as NO AUDITING.  I know sometimes these tools do not return proper auditing results so I have also checked the security event log.  Which has not auditing entries.  

    gpresult/h result.html shows the auditing policy is applied.  
    RSOP does not show the advanced auditing 

    I have no other polices that have Legacy or category auditing enabled.  (other than domain controller policies, but the server I am attemptint to apply this advanced auditing policy to is not a domain controller so it shouldn't matter).

    I have "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" set to ENABLED.

    I have a test folder on this server  that has auditing enabled for my specific group (Folder properties > Security Tab > Advanced > Auditing Tab > "everyone" list for Full control for Success and Failures).  

    The server has been rebooted.

    The audit.csv file on the local member server at c:\windows\Security\Audit only shows headers but no policies.  I deleted this file, ran a gpupdate and the file comes back but same as before.
    The audit.csv file in SYSVOl (%systemroot%\SYSVOL\domain\Policies[GUID OF POLICY]\Machine\Microsoft\Windows NT\Audit) shows the correct policies.

    What am I missing?  Why isnt the audit.csv from SYSVOL being applied to this member server?

    I haver reviewed the other "Advanced Auditing not applying" technet articles but none address my situation.

    Thank you for your help

    Joshua



    Tuesday, October 20, 2015 8:18 PM

Answers

All replies

  • > What am I missing?  Why isnt the audit.csv from SYSVOL being applied to
    > this member server?
     
    Check this post:
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Wednesday, October 21, 2015 8:46 AM
  • Hope, Martin has provided you the best approach to resolve your asked concern.

    However, for additional information you can also walk through this another informative resource to gather more details in depth : https://technet.microsoft.com/en-us/library/dd408940%28v=ws.10%29.aspx

    This PDF guide also looks good to deal in such cases : http://www.lepide.com/guide/enable-active-directory-security-auditing.pdf


    Organizations who want increase their visibility as to what's happening in their IT environments but are perhaps limited on time, resources or budget. Lepide 2020 audit & change control suite provides instant access to see who, what, where and when changes are being made to Active Directory, Group Policy, SQL Servers, SharePoint, File Servers, Exchange Servers and more.

    Wednesday, October 21, 2015 9:16 AM
  • Hi Martin,

    Thank you for the response but I am curious what specifically in this article addresses my issue?

    Wednesday, October 21, 2015 3:11 PM
  • The article I linked does not address any specific issue. I just found
    it to be a good starter to find out what your auditing is doing and why :)
     > (Success and Failure) for various policies.  I have the group policy
    > applied to the appropriate users group
     
    Hopefully a typo and this is a computer group?
     
    > gpresult/h result.html shows the auditing policy is applied.
    > RSOP does not show the advanced auditing
     
    That's expected. RSOP.MSC can only handle GPO settings up to XP/2003 and
    is since deprecated.
     
    > The audit.csv file on the local member server at
    > c:\windows\Security\Audit only shows headers but no policies.  I deleted
    > this file, ran a gpupdate and the file comes back but same as before.
     
    That's expected - this AFAIK is only the local audit policy settings.
     
    > What am I missing?  Why isnt the audit.csv from SYSVOL being applied to
    > this member server?
     
    Honestly I don't know. I've never seen this "not working" the way you
    are describing it.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Wednesday, October 21, 2015 3:36 PM
  • Andres,

    Your attached is the missing link I needed.  It appears any file auditing policies MUST be in the default domain policy and not a separate policy.  I modified my Default Domain Policy with the appropriate changes, ran a gupdate on a server and I can see auditing logs now.

    Thank you very much!

    Joshua

    Wednesday, October 21, 2015 3:44 PM
  • > Your attached is the missing link I needed.  It appears any file
    > auditing policies MUST be in the default domain policy and not a
    > separate policy.
     
    Uhm - I disagree with that. We have our related GPO linked to the OU
    where our servers reside. And I can confirm it works.
     
    Is your DDP enforced?
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Wednesday, October 21, 2015 3:58 PM
  • Hmm.  Bad assumption on my part.  I apologize.

    The default domain policy is not enforced.  I tried to enforce the File Auditing policy and it has no effect.

    The file auditing policy is for Authenticated users linked to the OU of my servers.

    Thanks again for your assistance.

    Wednesday, October 21, 2015 4:03 PM
  • > The file auditing policy is for Authenticated users linked to the OU of
    > my servers.
     
    Then I'm kind of "out of game"... I have no idea why it works here and
    not at your site?!? ;-((
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Thursday, October 22, 2015 8:18 AM