Solved

Audit Policy differences on member servers than DC's

Posted on 2011-03-15
6
1,059 Views
Last Modified: 2012-06-27
Running 2008 R2 domain/forest.  I have the audit policy defined on our DC’s, everything is success, failure except for audit object access and audit system events is set to failure only.  I have enabled the security option Audit: Force audit policy subcategory settings (windows Vista or Later) to override audit policy category settings.  Using auditpol I have set several subcategories to no auditing.

Some of my member servers using the GUI for local policy show no auditing for logon events, object access, policy change and system events but using auditpol only the subcategories I have set to no auditing are  set to no auditing.  Other member servers show the same way the DC’s are set.  Not sure why this is.  Please see the attached file of screen shots to clarify what I am trying to explain.
 EE-audit-settings.docx
0
Comment
Question by:asrvwiz
  • 4
  • 2
6 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 35151039
So, if I read your screenshots correctly, the DC and (at least) the member server at the end is correct (according to the GUI) and the first member shows wrong in the GUI but correct using Auditpol?

Wierd actually...

If Auditpol shows the right settings I would trust that - but why it isn't reflected in the GUI is strange.

Are all these servers 2008R2?
Was the last server ever a DC?

Is it possible you have the Audit policy configured on the Default Domain Controller policy and it isn't applying to the members - except the last one (which may have been a DC at one time?)??

Need a little more detail.
0
 

Author Comment

by:asrvwiz
ID: 35151337
Yes you are correct with the screen shots.

AHHHH they are not 2008R2, just 2008 standard, but should that matter?? Neither member server was a DC.  The audit policy shot I provided was from default domain policy.

Thanks for the response, thought I was strange that it was not reflected in the GUI.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 35153323
Can you run GPRESULT /v > C:\gpresult.txt  <= do this on the member that has the incorrect GUI settings.

and post the text file here?

I'd like to see if the server is getting everything it should.

Can you also run (on the DC) - repadmin /showrepl /all > c:\repadmin.txt

You can email me that one as it might contain info you want to keep out of the public.  Send it to my alias here at gmail.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Closing Comment

by:asrvwiz
ID: 35158253
Netman66 help via email.  Thanks again.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 35158307
Just a followup for the benefit of the forum.

The policy was applying properly to the server, just not reflecting it was in the GUI of secpol.

A log was sent to me offline as it contained sensitive info that could not be posted here.

All is well, however I suggested opening a support call with Microsoft to determine if he has uncovered a bug.

Thanks!
NM
0
 
LVL 51

Expert Comment

by:Netman66
ID: 35159228
Some info for you - ironically!

http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx

Kind of confirms my statement about auditpol being correct.

Cheers.
NM
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently had an issue where out of nowhere, end users started indicating that their logins to our terminal server were just showing a "blank screen." After checking the usual suspects -- profiles, shell=explorer.exe in the registry, userinit.exe,…
Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question