Thursday, April 13, 2017

Advanced Security Audit Policy Not Applying To Win7

Issue



I am trying to apply a GPO with Advanced Security Audit Policy configurations to a Windows 7 client but the setting are not applying.



I double-checked my work using this article - http://technet.microsoft.com/en-us/library/dd408940(v=ws.10).aspx



I did enable Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings




When I run auditpol.exe /get /category:* I see that only the default advanced audit settings are applied, not the ones I set in the new GPO. I know that the GPO itself is applying to the computer because other settings in the GPO are present and RSOP shows the GPO applied successfully.



We have a GPO higher in the OU structure that applies some advanced audit settings so I thought that for some reason it was interfering or overridding but they are also not showing in auditpol.exe /get /category:*. I performed a auditpol.exe /clear which clears the policy



|
|



After auditpol.exe /clear



|




Category/Subcategory Setting



System



Security System Extension No Auditing



System Integrity No Auditing



IPsec Driver No Auditing




Other System Events No Auditing



Security State Change No Auditing



Logon/Logoff



Logon No Auditing



Logoff No Auditing




Account Lockout No Auditing



IPsec Main Mode No Auditing



IPsec Quick Mode No Auditing



IPsec Extended Mode No Auditing



Special Logon No Auditing




Other Logon/Logoff Events No Auditing



Network Policy Server No Auditing



Object Access



File System No Auditing



Registry No Auditing




Kernel Object No Auditing



SAM No Auditing



Certification Services No Auditing



Application Generated No Auditing



Handle Manipulation No Auditing




File Share No Auditing



Filtering Platform Packet Drop No Auditing



Filtering Platform Connection No Auditing



Other Object Access Events No Auditing



Detailed File Share No Auditing




Privilege Use



Sensitive Privilege Use No Auditing



Non Sensitive Privilege Use No Auditing



Other Privilege Use Events No Auditing



Detailed Tracking




Process Termination No Auditing



DPAPI Activity No Auditing



RPC Events No Auditing



Process Creation No Auditing



Policy Change




Audit Policy Change No Auditing



Authentication Policy Change No Auditing



Authorization Policy Change No Auditing



MPSSVC Rule-Level Policy Change No Auditing



Filtering Platform Policy Change No Auditing




Other Policy Change Events No Auditing



Account Management



User Account Management No Auditing



Computer Account Management No Auditing



Security Group Management No Auditing




Distribution Group Management No Auditing



Application Group Management No Auditing



Other Account Management Events No Auditing



DS Access
Directory Service Changes No Auditing




Directory Service Replication No Auditing



Detailed Directory Service Replication No Auditing



Directory Service Access No Auditing



Account Logon



Kerberos Service Ticket Operations No Auditing




Other Account Logon Events No Auditing



Kerberos Authentication Service No Auditing



Credential Validation No Auditing



I then performed a gpupdate /force and rebooted but AuditPol still shows 'no auditing' for all settings.



I also deleted the audit.csv file, which appears to contain the settings of the GPO higher in the structure (even though I read that is only contains local settings) but not the new GPO, in C:\Windows\security\audit and then performed a gpupdate /force. After running gpupdate /force, the file was reinstated and it showed the default settings and the advanced audit settings from the GPO higher in the OU structure, not the new GPO settings, but auditpol was still showing no auditing for all settings. Also, the audit.csv file modify date was from months ago so I suspect is it just pulling the informed from the initial GPO? I tried enforcing and ranking the new GPO higher but it still does not apply.




Environment



windows 7 SP1 client and Windows 2008R2 DC



Any help is appreciated.

No comments:

Post a Comment

hard drive - Leaving bad sectors in unformatted partition?

Laptop was acting really weird, and copy and seek times were really slow, so I decided to scan the hard drive surface. I have a couple hundr...