none
2012 R2 - Advanced Auditing settings not applying

    Question

  • Hi all,

    I have a strange scenario whereby the Advanced Auditing settings are applying in our environment.

    I setup a GPO linked to an OU with a test server and configured it with a few Advanced Auditing settings.  When I run a GPUPDATE from the test box, the audit.csv file downloads correctly and if I open it I see it contains the settings configured.  However, the auditing settings when I run a auditpol.exe /get /category:* command all show as 'No Auditing'.

    If I manually import the settings by using auditpol /restore /file:c:\windows\security\audit\audit.csv the settings show correctly.  If I clear them and run a gpupdate, the settings are not updated, even though the correct audit.csv is present and has the correct data.

    I have set the ‘Computer Configuration => Policies => Windows Settings => Security Settings =>
    Local Policies => Security Options => Audit: Force audit policy subcategory settings
    (Windows Vista or later) to override audit policy category settings.’
     to ‘Enabled’ so that it ignores basic auditing but still nothing.

    Am I missing something obvious?

    Cheers,

    Martin

    jeudi 31 décembre 2015 13:17

Toutes les réponses

  • Hi,
     
    >using auditpol /restore /file:c:\windows\security\audit\audit.csv the settings show correctly.
     
    So you have checked the audit.csv file under "c:\windows\security\audit"?
     
    The domain-based policy settings are in an audit.csv in SYSVOL and that is never stored locally to the computer. So you should check the file under the path below instead:
     
    \SYSVOL\domain\Policies\{policyID}\Machine\microsoft\windows nt\Audit
     
    Try to delete the audit.csv file from the path above, then reconfigure the setting in GPMC, run "gpupdate /force", then run "auditpol.exe /get /category:*" from an elevated command prompt (run as administrator) to check result.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    vendredi 1 janvier 2016 04:31
    Modérateur
  • Hi Ethan, thanks for the reply. This was puzzling me as in the past the issues were around the audit.csv either not downloading properly or being empty. Neither was not the case in this instance.

    I tracked down the culprit as the 'MSFT Windows Server 2012 R2 Member Server Baseline' policy, which has a setting in it which is somehow stopping the application of the Advanced Policies.  If I disable this policy everything works, so my next step is to work through this and see what could possibly be causing it.

    Any ideas or thoughts gladly welcome.

    Regards,
    Martin

    vendredi 1 janvier 2016 11:56
  • I have found the same issue that was first pointed out by Martin. Utilizing LGPO.exe version 2.2.1705.29001 with the audit.csv produced by SCM version 4.0.0.1 (Setting Library Version: 2.0.82001) applying "WS2016 Member Server Security Compliance 1.0" with company specific slightly adjusted settings on Windows Server 2016 Datacenter Edition.

    When executing the Member_Server_Install.cmd, which uses LGPO.exe /v /g  ..\GPOs\{ad16bf73-1acc-4cc8-8fad-cfd9147e7c63} as the installation command, outputs:

    C:\Windows\system32\auditpol.exe /clear /y
    The command was successfully executed.
    AUDITPOL.EXE exited with exit code 0
    ----------------------------------------------------------------------
    C:\Windows\system32\auditpol.exe /restore /file:"..\GPOs\{ad16bf73-1acc-4cc8-8fad-cfd9147e7c63}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv"
    AUDITPOL.EXE exited with exit code 3221225477
    ----------------------------------------------------------------------

    Through testing I have found that if I replaced the following lines from the audit.csv file:

    ,System,Group Membership,,No Auditing,,0
    ,System,User / Device Claims,,No Auditing,,0
    ,System,Central Policy Staging,,No Auditing,,0
    ,System,Token Right Adjusted Events,,No Auditing,,0
    ,System,Plug and Play Events,,No Auditing,,0

    with the following:

    ,System,Group Membership,{0CCE9249-69AE-11D9-BED3-505054503030},No Auditing,,0
    ,System,User / Device Claims,{0CCE9247-69AE-11D9-BED3-505054503030},No Auditing,,0
    ,System,Central Policy Staging,{0CCE9246-69AE-11D9-BED3-505054503030},No Auditing,,0
    ,System,Token Right Adjusted Events,{0CCE924A-69AE-11D9-BED3-505054503030},No Auditing,,1
    ,System,Plug and Play Events,{0CCE9248-69AE-11D9-BED3-505054503030},No Auditing,,1

    The policy settings will import successfully, otherwise no policy settings are applied, even though the audit.csv file has been copied to:

    C:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csv
    C:\Windows\security\audit\audit.csv

    After replacing the lines pointed out above from the audit.csv file and re-running the Member_Server_Install.cmd the auditpol.exe command completed successfully:

    C:\Windows\system32\auditpol.exe /clear /y
    The command was successfully executed.
    AUDITPOL.EXE exited with exit code 0
    ----------------------------------------------------------------------
    C:\Windows\system32\auditpol.exe /restore /file:"..\GPOs\{ad16bf73-1acc-4cc8-8fad-cfd9147e7c63}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv"
    The command was successfully executed.
    AUDITPOL.EXE exited with exit code 0
    ----------------------------------------------------------------------

    It appears that the auditpol utility is not compatible with the audit.csv entries when the sub category GUID is left blank.

    jeudi 14 juin 2018 17:35