none
Cannot update Security Settings via GPO on Win2008 R2

    Question

  • Hello,

    On two of my Win2008 R2 DC, I cannot update Security Settings via GPO. 

    GPOs are allowed and no error is logged but anything under Security Settings isn't updated by changed made. 
    I know the GPOs itself is applied since Admin Templates will update accordingly 

    So lets say I add, remove or change Audit Policies and then GPupdate force on the target, the changes reflected will not take effect and will not be listed in the RSoP.

    Any idea on what is going on here? I've tried many things I found searching online for two days but nothing does it. I used to work a few weeks ago but as soon a started messing around with Audit Policies, it's now broken...

    Thursday, July 07, 2016 4:41 PM

Answers

All replies

  • Hi,

    Thanks for your post.

    Check if the "Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" policy setting is enabled. That will enforce the 'advanced' auditing categories.

    Please see the below description of this setting:

    “legacy audit settings can be applied to all Windows versions, the advanced audit settings can be applied only to Windows Vista and above, and Windows 2008 and above. Implementing both the legacy and advanced audit policy settings will cause unexpected outcomes due to conflicts between similar settings in the two groups of policy settings. Enabling the Audit: Force audit policy subcategory settings (Windows Vista or later) will ensure the legacy audit settings are ignored. In other words, If this option is checked, legacy Audit policies (pre-vista) will not be applied and must be set under Advanced Audit Policy Configuration.”

    Please verify this setting in your environment.

    More article for your reference:

    Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings

    https://technet.microsoft.com/en-us/library/dd772710%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Getting the Effective Audit Policy in Windows 7 and 2008 R2

    http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 08, 2016 4:36 AM
    Moderator
  • Hi,

    I have already tried those articles and the methods proposed. Unfortunately it did not work. 
    The effective audit policies are not reflecting the GPO applied to the machine. 

    Anything I configure under Advanced Audit Policies is simply not applied when the GPO is grabbed. All other settings / policies in the said GPO will be applied.

    I would post some screenshots of the issue but I cannot on this forum (account not verified apparently so I cannot post links)

    Something seems out of sync or broken but no error or warning is reported. 


    Friday, July 08, 2016 12:51 PM
  • > So lets say I add, remove or change Audit Policies and then GPupdate
    > force on the target, the changes reflected will not take effect and will
    > not be listed in the RSoP.
     
    Maybe AskDS can help:
     
    Friday, July 08, 2016 1:23 PM