Running 2008 R2 domain/forest. I have the audit policy defined on our DC’s, everything is success, failure except for audit object access and audit system events is set to failure only. I have enabled the security option Audit: Force audit policy subcategory settings (windows Vista or Later) to override audit policy category settings. Using auditpol I have set several subcategories to no auditing.
Some of my member servers using the GUI for local policy show no auditing for logon events, object access, policy change and system events but using auditpol only the subcategories I have set to no auditing are set to no auditing. Other member servers show the same way the DC’s are set. Not sure why this is. Please see the attached file of screen shots to clarify what I am trying to explain.