Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1064
  • Last Modified:

Audit Policy differences on member servers than DC's

Running 2008 R2 domain/forest.  I have the audit policy defined on our DC’s, everything is success, failure except for audit object access and audit system events is set to failure only.  I have enabled the security option Audit: Force audit policy subcategory settings (windows Vista or Later) to override audit policy category settings.  Using auditpol I have set several subcategories to no auditing.

Some of my member servers using the GUI for local policy show no auditing for logon events, object access, policy change and system events but using auditpol only the subcategories I have set to no auditing are  set to no auditing.  Other member servers show the same way the DC’s are set.  Not sure why this is.  Please see the attached file of screen shots to clarify what I am trying to explain.
 EE-audit-settings.docx
0
asrvwiz
Asked:
asrvwiz
  • 4
  • 2
1 Solution
 
Netman66Commented:
So, if I read your screenshots correctly, the DC and (at least) the member server at the end is correct (according to the GUI) and the first member shows wrong in the GUI but correct using Auditpol?

Wierd actually...

If Auditpol shows the right settings I would trust that - but why it isn't reflected in the GUI is strange.

Are all these servers 2008R2?
Was the last server ever a DC?

Is it possible you have the Audit policy configured on the Default Domain Controller policy and it isn't applying to the members - except the last one (which may have been a DC at one time?)??

Need a little more detail.
0
 
asrvwizAuthor Commented:
Yes you are correct with the screen shots.

AHHHH they are not 2008R2, just 2008 standard, but should that matter?? Neither member server was a DC.  The audit policy shot I provided was from default domain policy.

Thanks for the response, thought I was strange that it was not reflected in the GUI.
0
 
Netman66Commented:
Can you run GPRESULT /v > C:\gpresult.txt  <= do this on the member that has the incorrect GUI settings.

and post the text file here?

I'd like to see if the server is getting everything it should.

Can you also run (on the DC) - repadmin /showrepl /all > c:\repadmin.txt

You can email me that one as it might contain info you want to keep out of the public.  Send it to my alias here at gmail.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
asrvwizAuthor Commented:
Netman66 help via email.  Thanks again.
0
 
Netman66Commented:
Just a followup for the benefit of the forum.

The policy was applying properly to the server, just not reflecting it was in the GUI of secpol.

A log was sent to me offline as it contained sensitive info that could not be posted here.

All is well, however I suggested opening a support call with Microsoft to determine if he has uncovered a bug.

Thanks!
NM
0
 
Netman66Commented:
Some info for you - ironically!

http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx

Kind of confirms my statement about auditpol being correct.

Cheers.
NM
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now