Solved

Audit Policy differences on member servers than DC's

Posted on 2011-03-15
6
1,060 Views
Last Modified: 2012-06-27
Running 2008 R2 domain/forest.  I have the audit policy defined on our DC’s, everything is success, failure except for audit object access and audit system events is set to failure only.  I have enabled the security option Audit: Force audit policy subcategory settings (windows Vista or Later) to override audit policy category settings.  Using auditpol I have set several subcategories to no auditing.

Some of my member servers using the GUI for local policy show no auditing for logon events, object access, policy change and system events but using auditpol only the subcategories I have set to no auditing are  set to no auditing.  Other member servers show the same way the DC’s are set.  Not sure why this is.  Please see the attached file of screen shots to clarify what I am trying to explain.
 EE-audit-settings.docx
0
Comment
Question by:asrvwiz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 35151039
So, if I read your screenshots correctly, the DC and (at least) the member server at the end is correct (according to the GUI) and the first member shows wrong in the GUI but correct using Auditpol?

Wierd actually...

If Auditpol shows the right settings I would trust that - but why it isn't reflected in the GUI is strange.

Are all these servers 2008R2?
Was the last server ever a DC?

Is it possible you have the Audit policy configured on the Default Domain Controller policy and it isn't applying to the members - except the last one (which may have been a DC at one time?)??

Need a little more detail.
0
 

Author Comment

by:asrvwiz
ID: 35151337
Yes you are correct with the screen shots.

AHHHH they are not 2008R2, just 2008 standard, but should that matter?? Neither member server was a DC.  The audit policy shot I provided was from default domain policy.

Thanks for the response, thought I was strange that it was not reflected in the GUI.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 35153323
Can you run GPRESULT /v > C:\gpresult.txt  <= do this on the member that has the incorrect GUI settings.

and post the text file here?

I'd like to see if the server is getting everything it should.

Can you also run (on the DC) - repadmin /showrepl /all > c:\repadmin.txt

You can email me that one as it might contain info you want to keep out of the public.  Send it to my alias here at gmail.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Closing Comment

by:asrvwiz
ID: 35158253
Netman66 help via email.  Thanks again.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 35158307
Just a followup for the benefit of the forum.

The policy was applying properly to the server, just not reflecting it was in the GUI of secpol.

A log was sent to me offline as it contained sensitive info that could not be posted here.

All is well, however I suggested opening a support call with Microsoft to determine if he has uncovered a bug.

Thanks!
NM
0
 
LVL 51

Expert Comment

by:Netman66
ID: 35159228
Some info for you - ironically!

http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx

Kind of confirms my statement about auditpol being correct.

Cheers.
NM
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question