Link to home
Start Free TrialLog in
Avatar of top_rung
top_rungFlag for United States of America

asked on

GP Auditing showing different from gpedit compared to AD

Server 2003 Enterprise SP1 - the primary domain controller

I began by trying to turn on Object Auditing for my domain.  I wanted to see who in my domain accessed what on the server.

So, on the server within AD User and Computers, I right-clicked my domain > properties > Group Policy tab and chose to edit the Default Domain Policy.  Under Computer Configuration>Windows Settings>Security Settings>Local Policies>Audit Policy, I set Audit Object Access to Success, Failure. I soon noticed that no object audting was taking place for server objects, but on the workstations, object auditing was being logged.

On the server, from the command prompt, I ran gpedit, and navigated to the same path above, and it shows the setting to be No Auditing and the policy is dithered out.  Can not make any changes.

Okay, so gpedit is showing me policy for that machine (the server), and the Domain policy I set in AD was just pushed to all workstations?  Is that correct?

If so, how can i set it such that I can audit the shares on the domain for access to objects by workstations?
Avatar of TheCleaner
TheCleaner
Flag of United States of America image

If you want the policy to take effect for the DC, you need to change the Default Domain Controller Policy, otherwise just like you said it will be applied to the workstations and the member servers only.
Avatar of top_rung

ASKER

So there is my problem I think.  Running gpedit on the server, in theory, I should be able to edit the machine's policy right? The domain controllers that is.

If that is the case, as stated above, it states No Auditing, and the options to set success or failure are dithered out.   I don't quite get it.
ASKER CERTIFIED SOLUTION
Avatar of TheCleaner
TheCleaner
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Bingo Thanks!  I can edit them that way.

Therein is where my understadnig has fallen apart.  For what is gpedit.msc editing policies for in my scenario?  It shows differnt settings that the Default Domain Policy in AD, and it doesn't seem to show the changes that I make through the Administrative tools.

I guess I really don't know the difference between running gpedit.msc or secpol.msc!  :-|
I would download the group policy management console from MS and install it on the DC.  Then use that tool to create/edit GPOs.  It's much better.