Windows Security

I am getting an Event ID 4719 stating that the local audit policy changed.   (Server 2008 r2).  When I look at the event viewer for this event, Here is what the details say:   How  am I suppose to find out WHAT THE CHANGE  was?   I have ALOT of these entries.   Is this normal?
+ System

  - Provider

   [ Name]  Microsoft-Windows-Security-Auditing
   [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D}
 
   EventID 4719
 
   Version 0
 
   Level 0
 
   Task 13568
 
   Opcode 0
 
   Keywords 0x8020000000000000
 
  - TimeCreated

   [ SystemTime]  2013-06-03T15:24:53.018875000Z
 
   EventRecordID 101732465
 
   Correlation
 
  - Execution

   [ ProcessID]  912
   [ ThreadID]  7712
 
   Channel Security
 
   Computer bones.bwok.local
 
   Security
 

- EventData

  SubjectUserSid S-1-5-18
  SubjectUserName BONES$
  SubjectDomainName BWOK
  SubjectLogonId 0x3e7
  CategoryId %%8280
  SubcategoryId %%14339
  SubcategoryGuid {0CCE9242-69AE-11D9-BED3-505054503030}
  AuditPolicyChanges %%8448, %%8450
bankwestCTO/CashierAsked:
Who is Participating?
 
oliverbobConnect With a Mentor Commented:
Mostly these error takes place when on the audit policy the SACL setting was changed.

I'm not soo sure but, the reason is, because the change itself might affect whether or not the audit is generated.  Usually in Windows, we generate audit after the operation that we are auditing, is performed.  When we generate audit, we always check audit policy to see if we need to generate an event.

Delete the file and to a gpupdate /force and that should do it.  

c:\windows\system32\GroupPolicy\Machine\Microsoft\WindowsNT\Audit\audit.csv

Contains :

Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value

I hope I'm clear.
0
 
Rsilva98Commented:
This issue occurs mostly when there is an audit .csv file in the following location c:\windows\system32\GroupPolicy\Machine\Microsoft\WindowsNT\Audit\audit.csv which needs to be deleted for the machine to receive the group policy again.  Delete the file and to a gpupdate /force and that should do it.
0
 
bankwestCTO/CashierAuthor Commented:
The server in question.   I have C:\windows\system32\GroupPolicy\Machine and then the next folder (only one) is Scripts.

I did a search for audit.csv and find it in 3 locations:

C:\Windows\Security\audit
C:\Windows\SYSVOL\domain\Policies\
C:\Windows\SYSVOL\sysvol\bwok.local\Policies\

They are all from 2012.

Delete all of them?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.