none
Advanced Configuration settings not applying

    Question

  • Hi,

    I wondered if anyone faced a problem on applying advanced auditing via GPO

    I had lately in 2008 R2 domain a GPO for all member servers that applying Basic Auditing

    noticed that the security log is getting spoofed of many events, so decided to minimize that by using the advanced auditing instead of basic, then to choose specific subcategories.

    I edited same GPO y set "not configured" on all Auditing Policy section, then moved to advanced auditing and choose the needed subcategory.

    also selected the option: "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings".

    when apply gpupdate force on servers then checking auditpol /get /category:*

    on the output seen that it is still stuck on old basic policy(all subcategoryies are set), not applying the advanced policy.

    any ideas what i am missing?

    Thanks

    Abed

    Thursday, July 02, 2015 6:41 AM

All replies

  • > on the output seen that it is still stuck on old basic policy(all
     
    Assuming that your GPOs are all applied as desired (check gpresult /h
    report.html in an elevated commandline), you might verify with AskDS:
     
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Thursday, July 02, 2015 7:42 AM
  • Hi Martin,

    on the html report noticed that needed setting are not shown.

    the GPO it self is on the "Applied GPOs" but down there in the report the Auditing setting are not shown- cannot see them, mean not applied.

    i see only the ""Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" is applied.

    so what I am mistaken?

    Thanks

    Abed

    Thursday, July 02, 2015 10:18 AM
  • Hi Abed,

    As we know, you should not trust any of the Group Policy reporting tools when it comes to audit settings. Please use the command below to exam the audit policy setting,

    auditpol.exe /get /category:*

    Only auditpol reads the actual super-top-secret-eyes-only-licensed-to-kill-shaken-not-stirred registry key that stores the current, effective set of auditing policy that LSASS.EXE consumes:

    HKEY_Local_Machine\Security\Policy\PolAdtEv

    Please have a check If it’s not in that key, it’s not getting audited.

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 06, 2015 7:37 AM
    Moderator
  • Hi Elaine

    Thanks for the notes, i do exactly like this, but unfortunately the same results.

    let me again summarize the issue:

    * I have now one GPO includes auditing setting of "object access" on the "Advanced auditing configuration"

    * on same GPO the "basic auditing" is set to "not defined"

    * on same GPO i v enabled the security option-audit : "Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" - to override old basic settings that were applied before.

    * i v run gpupdate force on the servers -no changes occurs. checked on gpresult /h and in the auditpol /get /category:*

    it still not applying settings in the GPO on the advanced audit, here is output:

    C:\Users\abed\Desktop>auditpol /get /category:*
    System audit policy
    Category/Subcategory                      Setting
    System
      Security System Extension               No Auditing
      System Integrity                        No Auditing
      IPsec Driver                            No Auditing
      Other System Events                     No Auditing
      Security State Change                   No Auditing
    Logon/Logoff
      Logon                                   No Auditing
      Logoff                                  No Auditing
      Account Lockout                         No Auditing
      IPsec Main Mode                         No Auditing
      IPsec Quick Mode                        No Auditing
      IPsec Extended Mode                     No Auditing
      Special Logon                           No Auditing
      Other Logon/Logoff Events               No Auditing
      Network Policy Server                   No Auditing
    Object Access
      File System                             Success and Failure
      Registry                                Success and Failure
      Kernel Object                           Success and Failure
      SAM                                     Success and Failure
      Certification Services                  Success and Failure
      Application Generated                   Success and Failure
      Handle Manipulation                     Success and Failure
      File Share                              Success and Failure
      Filtering Platform Packet Drop          Success and Failure
      Filtering Platform Connection           Success and Failure
      Other Object Access Events              Success and Failure
      Detailed File Share                     Success and Failure
    Privilege Use
      Sensitive Privilege Use                 No Auditing
      Non Sensitive Privilege Use             No Auditing
      Other Privilege Use Events              No Auditing
    Detailed Tracking
      Process Termination                     No Auditing
      DPAPI Activity                          No Auditing
      RPC Events                              No Auditing
      Process Creation                        No Auditing
    Policy Change
      Audit Policy Change                     No Auditing
      Authentication Policy Change            No Auditing
      Authorization Policy Change             No Auditing
      MPSSVC Rule-Level Policy Change         No Auditing
      Filtering Platform Policy Change        No Auditing
      Other Policy Change Events              No Auditing
    Account Management
      User Account Management                 No Auditing
      Computer Account Management             No Auditing
      Security Group Management               No Auditing
      Distribution Group Management           No Auditing
      Application Group Management            No Auditing
      Other Account Management Events         No Auditing
    DS Access
      Directory Service Changes               No Auditing
      Directory Service Replication           No Auditing
      Detailed Directory Service Replication  No Auditing
      Directory Service Access                No Auditing
    Account Logon

    any other ideas?



    Wednesday, July 08, 2015 9:46 AM
  • Hi Abed,

    As I  can see from the out put above the advanced object access audit has been applied:

    Object Access

    FileSystem                            Success and Failure

     
    RegKerneObject                          Success and Failure
     
    SAM                                    Success and Failure

    CertificationServices                 Success and Failure

    Application Generated                  Success and Failure

    Handle Manipulation                    Success and Failure

    File Share                                         Success and Fail
    ure

    Filtering Platform PacketDrop          Success and Failure

    Filtering PlatformConnection           Success   and Failure

    Other Object AccessEvents             Success and Failure

      Detailed FileShare                  Success and Failure


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 09, 2015 6:35 AM
    Moderator
  • that's exactly my problem!

    it is applied all sub-category of "object access"

    i set on the advanced audit policy to apply only on filesystem - success & failure

    that means the server is still with the old applied settings from the basic policy and not applying the new one!nad i don;t know why it is not applying only the new policy and not removing old ones

    Thursday, July 09, 2015 6:51 AM
  • Hi Abed,

    I build a test windows server 2008 R2 domain and had a test on it, did the configration just as yours.

    But the output is only the file system aduit policy applied not all the object access items.

    So, would you please check if your system install the patches up to date?

    Best Regards,

    Elaine


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, July 13, 2015 2:35 AM
    Moderator
  • for sure the system is up2date with all latest updates

    really strange what is occurs in my side

    Wednesday, July 15, 2015 10:54 AM