Issue
I am trying to apply a GPO with Advanced Security Audit Policy configurations to a Windows 7 client but the setting are not applying.
I double-checked my work using this article - http://technet.microsoft.com/en-us/library/dd408940(v=ws.10).aspx
I did enable Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
When I run auditpol.exe /get /category:* I see that only the default advanced audit settings are applied, not the ones I set in the new GPO. I know that the GPO itself is applying to the computer because other settings in the GPO are present and RSOP shows the GPO applied successfully.
We have a GPO higher in the OU structure that applies some advanced audit settings so I thought that for some reason it was interfering or overridding but they are also not showing in auditpol.exe /get /category:*. I performed a auditpol.exe /clear which clears the policy
|
|
After auditpol.exe /clear
|
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity No Auditing
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change No Auditing
Logon/Logoff
Logon No Auditing
Logoff No Auditing
Account Lockout No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events No Auditing
Network Policy Server No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change No Auditing
Authentication Policy Change No Auditing
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management No Auditing
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service No Auditing
Credential Validation No Auditing
I then performed a gpupdate /force and rebooted but AuditPol still shows 'no auditing' for all settings.
I also deleted the audit.csv file, which appears to contain the settings of the GPO higher in the structure (even though I read that is only contains local settings) but not the new GPO, in C:\Windows\security\audit and then performed a gpupdate /force. After running gpupdate /force, the file was reinstated and it showed the default settings and the advanced audit settings from the GPO higher in the OU structure, not the new GPO settings, but auditpol was still showing no auditing for all settings. Also, the audit.csv file modify date was from months ago so I suspect is it just pulling the informed from the initial GPO? I tried enforcing and ranking the new GPO higher but it still does not apply.
Environment
windows 7 SP1 client and Windows 2008R2 DC
Any help is appreciated.
No comments:
Post a Comment