Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Audit Policy differences on member servers than DC's

Posted on 2011-03-15
6
Medium Priority
?
1,063 Views
Last Modified: 2012-06-27
Running 2008 R2 domain/forest.  I have the audit policy defined on our DC’s, everything is success, failure except for audit object access and audit system events is set to failure only.  I have enabled the security option Audit: Force audit policy subcategory settings (windows Vista or Later) to override audit policy category settings.  Using auditpol I have set several subcategories to no auditing.

Some of my member servers using the GUI for local policy show no auditing for logon events, object access, policy change and system events but using auditpol only the subcategories I have set to no auditing are  set to no auditing.  Other member servers show the same way the DC’s are set.  Not sure why this is.  Please see the attached file of screen shots to clarify what I am trying to explain.
 EE-audit-settings.docx
0
Comment
Question by:asrvwiz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 35151039
So, if I read your screenshots correctly, the DC and (at least) the member server at the end is correct (according to the GUI) and the first member shows wrong in the GUI but correct using Auditpol?

Wierd actually...

If Auditpol shows the right settings I would trust that - but why it isn't reflected in the GUI is strange.

Are all these servers 2008R2?
Was the last server ever a DC?

Is it possible you have the Audit policy configured on the Default Domain Controller policy and it isn't applying to the members - except the last one (which may have been a DC at one time?)??

Need a little more detail.
0
 

Author Comment

by:asrvwiz
ID: 35151337
Yes you are correct with the screen shots.

AHHHH they are not 2008R2, just 2008 standard, but should that matter?? Neither member server was a DC.  The audit policy shot I provided was from default domain policy.

Thanks for the response, thought I was strange that it was not reflected in the GUI.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 2000 total points
ID: 35153323
Can you run GPRESULT /v > C:\gpresult.txt  <= do this on the member that has the incorrect GUI settings.

and post the text file here?

I'd like to see if the server is getting everything it should.

Can you also run (on the DC) - repadmin /showrepl /all > c:\repadmin.txt

You can email me that one as it might contain info you want to keep out of the public.  Send it to my alias here at gmail.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Closing Comment

by:asrvwiz
ID: 35158253
Netman66 help via email.  Thanks again.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 35158307
Just a followup for the benefit of the forum.

The policy was applying properly to the server, just not reflecting it was in the GUI of secpol.

A log was sent to me offline as it contained sensitive info that could not be posted here.

All is well, however I suggested opening a support call with Microsoft to determine if he has uncovered a bug.

Thanks!
NM
0
 
LVL 51

Expert Comment

by:Netman66
ID: 35159228
Some info for you - ironically!

http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx

Kind of confirms my statement about auditpol being correct.

Cheers.
NM
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question