none
Setting registry audit settings System access control lists (SACLs) via GPO without modifying existing registry key Discretionary access control lists (DACLs)

    Question

  • Hello and Merry Christmas,

    I want to be notified  via security eventlog when a new registry key is created under the following branch and some others 

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates

    What I first did was activating auditing via GPO

    So far so clear no problems. 

    Now I configured a new GPO with the System access control lists (SACLs) and  Discretionary access control lists (DACLs). The problem is I do not want to configure any DACLs. I just want to configure SACLs for audit and want the DACLs on the configured servers untouched. 

    Here my configuration of the second GPO.

    My Problem is I can not find a way to configute just the audit part in the GPO (red part in the screenshot), without setting any DACLs (green part in screenshot):


    • Edited by Arno N Sunday, December 25, 2016 9:50 PM
    Sunday, December 25, 2016 9:47 PM

All replies

  • Hi,
    Have you tried the following KB to see if it helps you? If not, please try it manually:
    How to use Group Policy to audit registry keys in Windows Server 2003
    https://support.microsoft.com/en-sg/kb/324739
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, December 26, 2016 5:24 AM
    Moderator
  • Hi Wendy,

    I tried but same problem here. kb324739 states the following:

    1. In the Registry list, click the registry key that you want to use, and then click OK. For example:

      MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    2. Click Advanced, click the Auditing tab, and then click Add.

    But before even klicking on advanced you get the DACLs fild filled (green rectangle in screenshot)

    when I remove all the DACS (green) I get the following message:

    Perhaps GPO is not the perfect way to configure SACLs on registrykeys? The manual way is no option here because I have to configure this on more than 1000 servers.

    Monday, December 26, 2016 10:21 AM
  • Just tried to apply the GPO without any DACLs set. In this case all the DACLs get wiped on the registry key. The result on the client looks like this:

    Monday, December 26, 2016 9:33 PM
  • Seems like, this should help you to enable security auditing and track such changes as per your choice - https://community.spiceworks.com/how_to/123727-how-to-track-critical-policy-changes-in-the-ad-environment
    Wednesday, December 28, 2016 7:58 AM
  •   Thank you michaelsymondson but your article is not about auditing of a specific registry key.
    Wednesday, December 28, 2016 12:04 PM
  • Hi,

    Can I ask why not to set the SACLs? And if a registry need to be audited, accessing it might be the precondition.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Monday, January 2, 2017 1:51 AM
    Moderator
  • Can I ask why not to set the SACLs? And if a registry need to be audited, accessing it might be the precondition.

    Hi Wendi, the problem is I do not know how the SACLs are set in my environment. We have over 1000 servers that are administered by a lot of teams, with a whole set of applications installed on them. How can I know if there are not any dependencies. Accessing is possible for me because I am a domain administrator that is no problem.     
    Tuesday, January 3, 2017 9:03 PM
  • Hi,

    Maybe, you could use script to set the permission for registry on multiple servers:

    How to change registry values or permissions from a command line or a script

    https://support.microsoft.com/en-sg/kb/264584

    and you could use group policy to deploy the script into these servers.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, January 6, 2017 1:24 AM
    Moderator