none
The audit policy in Local Security Policy is not effected by GPO

    Question

  • Hi,

    I would like to configure audit policy on my domain controller. When I go to Local Security Policy on the DC, I see that the setting of audit policy is NOT DEFINED. But I cannot enable the setting in Local Security Policy.
    After researching, I understand that if I configure audit policy in GPO/ Domain Controllers/Default Domain Controller Policy, it will effect Local Security Policy of the DC also. I configured the audit policy in here and also did gpupdate /force. But when I come back to Local Security Policy, the setting is still NOT DEFINED. I can make sure that my DC is belong to Domain Controller OU already. So now I'm don't know how to enable audit policy in Local Security Policy. Please help me fix it. 

    Thank you so much.
    Thursday, February 4, 2016 12:34 PM

Answers

All replies

  • Hi,

    Please look in RSOP.MSC or GPRESULT /V to check if the policies are getting applied.

    To move on, I would like to confirm the following with your help:

    1. Regarding the sentence “I cannot enable the setting in Local Security Policy.” Do you mean that the change settings in local security policy are greyed out?

    Please help to collect some screenshots and paste them directly in our forum.

    2. Except configuring the audit policy in GPO/ Domain Controllers/Default Domain Controller Policy, have you tried to configure the other policies to have a test?

    3. How many DCs are there in your environment? Does this issue happen to all DCs or just the specific DC?

    Besides, after running GPUPDATE command, please try to restart the server to see if the audit settings could work.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 5, 2016 4:52 AM
    Moderator
  • Hi,

    Thank you for your reply. So sorry for the late response cause we've just had a holiday.
    Back to your questions:

    1. Regarding the sentence “I cannot enable the setting in Local Security Policy.” Do you mean that the change settings in local security policy are greyed out?

    Yes, they are greyed out

    2. Except configuring the audit policy in GPO/ Domain Controllers/Default Domain Controller Policy, have you tried to configure the other policies to have a test?

    Yes, I did. Other policies are effected.

    3. How many DCs are there in your environment? Does this issue happen to all DCs or just the specific DC?


    There are 6 DC and this issue happens to all of them.

    Please see the link for the picture that you requested.

    http://i.imgur.com/x5lD4DD.png

    http://i.imgur.com/M1Md6kh.png

    Thank you.


    Monday, February 15, 2016 1:51 AM
  • Hi,

    Please try to remove the audit settings from Default Domain Controller Policy. Create a new GPO and link that to Domain Controllers OU. Make sure to set policy hierarchy i.e. 1st comes custom created audit policy and then comes Default Domain Controller Policy.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 15, 2016 7:44 AM
    Moderator
  • Hi all,

    I solved it by renaming the file audit.csv. Thank you all.

    Tuesday, February 16, 2016 3:01 AM
  • Hi,

    Good to hear that you have solved this issue by yourself. In addition, thanks for sharing your solution in the forum as it would be helpful to anyone who encounters similar issues.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 16, 2016 3:10 AM
    Moderator