none
Policy applying, but the settings are not

    Question

  • Have a odd issue where GPO is applying, I'm setting auditing on, all Audit Policy settings are turned on for Success and Failure, and the policy is applying.  But I have nothing in the security log file.  GPResult shows the policy applied.

    Out of curiosity I opened the local GPEdit.msc.  When I look at the audit settings, they are controlled by domain policy, in other words, the icon is changed, and the settings are grayed out.  BUT success and failure is not checked off, they are all set to No Auditing. 

    Clearly it's like i have a competing policy that says No Auditing, but I do not.  Any thoughts?

    FYI:

       Applied Group Policy Objects
       -----------------------------
           _SecAudit
           _DFS Slow link mode
           Default Domain Policy
           Local Group Policy

       The computer is a part of the following security groups
       -------------------------------------------------------
           BUILTIN\Administrators
           Everyone
           SQLServerMSSQLServerADHelperUser$PRAPC1CTX
           BUILTIN\Users
           NT AUTHORITY\NETWORK
           NT AUTHORITY\Authenticated Users
           This Organization
           PRAPC1CTX$
           Domain Computers
           System Mandatory Level

       Resultant Set Of Policies for Computer
       ---------------------------------------

           Software Installations
           ----------------------
               N/A

           Startup Scripts
           ---------------
               N/A

           Shutdown Scripts
           ----------------
               N/A

           Account Policies
           ----------------
               GPO: Default Domain Policy
                   Policy:            LockoutDuration
                   Computer Setting:  11

               GPO: Default Domain Policy
                   Policy:            MaximumPasswordAge
                   Computer Setting:  183

               GPO: Default Domain Policy
                   Policy:            MinimumPasswordAge
                   Computer Setting:  N/A

               GPO: Default Domain Policy
                   Policy:            ResetLockoutCount
                   Computer Setting:  11

               GPO: Default Domain Policy
                   Policy:            LockoutBadCount
                   Computer Setting:  5

               GPO: Default Domain Policy
                   Policy:            PasswordHistorySize
                   Computer Setting:  2

               GPO: Default Domain Policy
                   Policy:            MinimumPasswordLength
                   Computer Setting:  8

           Audit Policy
           ------------
               GPO: _SecAudit
                   Policy:            AuditPolicyChange
                   Computer Setting:  Success, Failure

               GPO: Default Domain Policy
                   Policy:            AuditDSAccess
                   Computer Setting:  Success, Failure

               GPO: _SecAudit
                   Policy:            AuditAccountManage
                   Computer Setting:  Success, Failure

               GPO: _SecAudit
                   Policy:            AuditDSAccess
                   Computer Setting:  Success, Failure

               GPO: Default Domain Policy
                   Policy:            AuditAccountLogon
                   Computer Setting:  Success, Failure

               GPO: _SecAudit
                   Policy:            AuditPrivilegeUse
                   Computer Setting:  Success, Failure

               GPO: _SecAudit
                   Policy:            AuditAccountLogon
                   Computer Setting:  Success, Failure

               GPO: _SecAudit
                   Policy:            AuditLogonEvents
                   Computer Setting:  Success, Failure

               GPO: _SecAudit
                   Policy:            AuditSystemEvents
                   Computer Setting:  Success, Failure

               GPO: Default Domain Policy
                   Policy:            AuditLogonEvents
                   Computer Setting:  Success, Failure

               GPO: Default Domain Policy
                   Policy:            AuditAccountManage
                   Computer Setting:  Success, Failure

    • Edited by wwwillster07 Thursday, July 07, 2016 9:12 PM added output of gpresult
    Thursday, July 07, 2016 9:04 PM

Answers

  • Hi,

    Have you installed the updates MS16-072?

    If yes, you could refer to the article below to fix the problem.

    MS16-072: Security update for Group Policy: June 14, 2016

    https://support.microsoft.com/en-us/kb/3163622

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 27, 2016 10:34 AM
    Moderator

All replies

  • Is the advanced security audit policy forced in another GPO?

    best regards Switch MCITP Enterprise Administrator MCSA Windows Server 2012 MCTS Windows 7 Configuration Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, July 07, 2016 10:35 PM
  • Here's an update.  I created a test OU and moved this machine into it.  The only thing that OU is inheriting is the default domain policy, which contains no audit settings.

    After a GP update and reboot, confirmed that there are no audit settings enabled.  Then I opened the local GP editor, and sure enough the icon was the local icon, not the domain setting icon, and when i opened each audit setting I was able to check off Success and Failure on each.

    I then closed gpedit.  And immediately opened it again, and those settings were gone.

    Either i missed something blatantly silly or there's a bug :)

    Thursday, July 07, 2016 10:54 PM
  • Just to 100% sure - please check:

    Computer Configuration\Windows Settings\Security Settings\Security Options\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings

    On which OS do you face this behaviour?


    best regards Switch MCITP Enterprise Administrator MCSA Windows Server 2012 MCTS Windows 7 Configuration Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, July 08, 2016 6:38 AM
  • check this and see if you're in the land of confusion:

    https://blogs.technet.microsoft.com/askds/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2/


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Friday, July 08, 2016 6:58 AM
  • Hi,

    Thanks for your post.

    Have a odd issue where GPO is applying, I'm setting auditing on, all Audit Policy settings are turned on for Success and Failure, and the policy is applying.  But I have nothing in the security log file.  GPResult shows the policy applied.

    >>>I suggest you run the command gpresult /h C:\gpresult.html with administrator to check those audit policies have been applied.

    To test if the policies work:

    1. Check the audit logon audit (both success and failure)
    2. Perform logon and logoff repeatedly
    3. Check if there are logon and logon event in Event Viewer

    I then closed gpedit.  And immediately opened it again, and those settings were gone

    >>>I have tested for this.

    In local group policy, I could see those audit settings. But those settings are overridden by domain group policy, they are grey out and I cannot edit them in local group policy.

    Would you tell what is the OS of your computer?

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 08, 2016 7:44 AM
    Moderator
  • I had a big Homer Simpson D'OH moment when I read that and raced to the settings, having completely forgot they were there...no dice, all not configured.

    The issue is happening on a 2008 r2 server, which happens to be a Citrix xenapp server, just throwing it out there in case THAT's an issue.  But i'm noticing a few other wonky things in this domain.

    But this server, I created a test OU and it's the only server in there.  Right now i'm only applying the audit policy.  Literally one policy with success and failure for ALL of the audit settings now.  gpresult /z shows the policy is applied.  I can see that it's applied when i look at the local gpedit, but the settings don't match....more to come


    Friday, July 08, 2016 4:43 PM
  • Jay you are correct in your picture above, the settings are grayed out when looking at the local editor, but you still SEE the correct domain settings.  This is not my case.  Mine are grayed out because they are domain settings, but the wrong settings are grayed out.  They are not what is set in the domain policy.

    It doesn't matter what tool I use to see the settings or how i generate (gpresult /z or gpresult /h) the report, the report tells me it's applied.  It's simply not.  It is a newly build windows 2008 r2 box.

    Running a few tests, i'll update again shortly.

    Friday, July 08, 2016 5:00 PM
  • interestingly I went to the advanced audit policy settings, I enabled the 4 for account logon:

    audit credential..

    audit kerberos..

    audit kerberos..

    audit other..

    Now I have success and failure enabled for account logon...under the *normal* audit policy setting when viewed in the local editor.

    Friday, July 08, 2016 5:16 PM
  • Just to be clear, i'm not trying to edit domain policies with the local editor.  I'm merely pointing out that when you have a domain setting and open the local editor, although grayed out, it will show what the setting is.  In my case it's showing the wrong setting.

    So here's what I've done, and how I might have to leave it for today since I have other things to tend to.  But this server is in an OU by itself, inheritance is blocked.  I have one new policy i created named Auditing and it's applied to this OU.  I also enabled Loopback replace, since my user account is another OU that has other settings I don't want messing with these tests. 

    Under Audit Policy I have everything enabled, and set for Success and Failure and there's nothing in the security log.

    I then go to the policy named Auditing and go to the advanced auditing settings and turn on the following, success and failure in all cases:

    Account Logon, all 4 settings

    Account Management, all 6 settings

    Logon/Logoff, all 9 settings

    Everything else under Advanced Audit Policy Configuration is left as Not configured.

    Force a gpupdate on that server, my security log is suddenly flooded with entries.

    Now when i open the local GP editor under Local Policies>audit policy I can see the domain "icon" for all of the settings I have set at the domain level, but they are set to No auditing, except:

    Audit account logon events, showing success, failure

    Audit account management, showing success, failure

    Audit logon events, showing success, failure

    These correlate to the settings I set under Advanced.

    Now the fun part, when I drill down to Advanced Audit Policy Configuration in that same local editor, those settings are all set to Not Configured.

    Ok, enough with the local editor.  But it's clear that the only way I can get any audit logging turned on is through the ADVANCED audit configuration.  Why?

    And by the way, the GPRESULT /H before and after adding the advanced settings look exactly the same, except that after I made the advanced settings, those settings are showing up in the output.

    Little crazy, but everyone follow?  I can add in screen shots to prove i'm not making this up if necessary :)

    Friday, July 08, 2016 5:41 PM
  • I remember myself having issues with local imported Citrix ADMX Templates... but I don't suspect these.

    Tbh I  am not 100% sure what's going wrong in your configuration. But here's some advice you realy should follow, as it gets realy confusing if you mix up "legacy" audit Policies with Advanced Audit Policy especialy if you use the default domain Policy to configure some audit settings

    • If you use the Advanced Audit Policy Configuration settings, you should enforce those setting by enabling:
      Computer Configuration\
      Windows Settings\Security Settings\Security Options\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings. Othrerwise you will get unconsistent results.

    • Don't use RSOP.exe (EVIL!!!), gpedit.msc or even not gpresult.exe to diagnose Advanced Audit Policy Settings. Instead use auditpol.exe. Here's a great article about Getting the effective audit policy in Windows 7 / Server 2008 R2.

    • How are the audit settings in the default domain policy configured? If those are Advanced Audit Policy Settings, the default domain policy will always be "enforced". What happens in this case, is the local "legacy" audit Policy setting will be cleared, before the Advanced Audit Policy Configuration will be applied. 
      See Advanced Security Auditing FAQ
    • Again: don't mix up both audit settings!!!!

    I recomend the following configuration in your environment

    1. Move the audit settings from the default domain policy to another policy (eg. "POL_Auditing" on domain level to bypass the de-facto enforcement of the domain policy.

    2. If your Environment contains computer prior Windows NT 6.1 (whichs is Vista / Server 2008 and below) create and use a WMI Filter on this GPO to filter out (exlucde) Server 2008 R2 / Windows 7 and above.

    3. Ensure this policy setting is using "legacy audit Settings" and configure them appropriately.
    4. Create another GPO for NT 6.1 and above (Server 2008 R2 & Windows 7 and above) - eg. POL_Adv_Auditing"
    5. Create a WMI Filter to filter out Vista/Server 2008 and below.
    6. Use this WMI Filter for the new GPO POL_Adv_Auditing to filter out Vista/2008 and below.
    7. Enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
    8. Configure Advanced Audit Policy Settings appropriatetly

    Info: Vista and Server 2008 are capable of using the advanced audit policy settings BUT you can't control them by Group Policy. You need to do this by a Logon Script while using auditpol.exe to configure the settings.

    One other thing I don't realy understand: what are you trying to achieve with those auditing settings? For example you Audit Directory Service Access on a Member Server? Why would one do that? However, might be you just try to figure something out.... But IF you configure sophisticated auditing, I strongly recomend nailing it down to this events you realy need to audit. Otherwise you will generate tons of audit logs a day.

    Example: 5 Domains, 1 Forest - 10 DCs, ~ 500 Member Servers. Just auditing the absolut minimum basel-line proposed by microsoft generates ~30 GB Logfiles each day. Of course you have keep those logfiles for e certain time - lets say 2 years..... well, do the math ;-)



    best regards Switch

    MCITP Enterprise Administrator
    MCSA Windows Server 2012
    MCTS Windows 7 Configuration

    Disclaimer: This posting is provided "AS IS"  with no warranties, and confers no rights.


    • Edited by Switch1210 Saturday, July 09, 2016 10:16 AM
    Saturday, July 09, 2016 10:12 AM
  • Hey thanks for the advice.

    I'm actually not trying to do any advanced auditing.  When you guys all suggested it might be set someplace in the domain I went on the hunt, but did not find any.

    Then in order to do some testing I enabled some advanced audit settings, just as a test, and well, you see the results.

    In fact the *only* thing I'm looking for is logon events to the citrix server, I was simply perplexed when I couldn't get that accomplished, and used a new GPO named Auditing just for that purpose.

    But the fact is I have other policies I need to enable for this server, and they are not applying either.  Auditing was supposed to be a quick easy test to see what was going on.

    I think though there's a systemic issue, as there are other servers in this environment that on closer inspection do not have all the policies applied either.

    Thanks for all the advice though.  Much appreciated.

    Saturday, July 09, 2016 4:26 PM
  • Hi,

    Have you installed the updates MS16-072?

    If yes, you could refer to the article below to fix the problem.

    MS16-072: Security update for Group Policy: June 14, 2016

    https://support.microsoft.com/en-us/kb/3163622

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 27, 2016 10:34 AM
    Moderator
  • Did you ever get your Local Security Policy / Advanced Auditing section to show GPO applied settings? Shouldn't the cmd below match what's in Local Security Policy / Advanced...?

    auditpol /get /category:*

    Friday, December 29, 2017 3:20 PM