Solved

Windows Security

Posted on 2013-06-03
3
1,984 Views
Last Modified: 2013-06-05
I am getting an Event ID 4719 stating that the local audit policy changed.   (Server 2008 r2).  When I look at the event viewer for this event, Here is what the details say:   How  am I suppose to find out WHAT THE CHANGE  was?   I have ALOT of these entries.   Is this normal?
+ System

  - Provider

   [ Name]  Microsoft-Windows-Security-Auditing
   [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D}
 
   EventID 4719
 
   Version 0
 
   Level 0
 
   Task 13568
 
   Opcode 0
 
   Keywords 0x8020000000000000
 
  - TimeCreated

   [ SystemTime]  2013-06-03T15:24:53.018875000Z
 
   EventRecordID 101732465
 
   Correlation
 
  - Execution

   [ ProcessID]  912
   [ ThreadID]  7712
 
   Channel Security
 
   Computer bones.bwok.local
 
   Security
 

- EventData

  SubjectUserSid S-1-5-18
  SubjectUserName BONES$
  SubjectDomainName BWOK
  SubjectLogonId 0x3e7
  CategoryId %%8280
  SubcategoryId %%14339
  SubcategoryGuid {0CCE9242-69AE-11D9-BED3-505054503030}
  AuditPolicyChanges %%8448, %%8450
0
Comment
Question by:bankwest
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 4

Expert Comment

by:Rsilva98
ID: 39217681
This issue occurs mostly when there is an audit .csv file in the following location c:\windows\system32\GroupPolicy\Machine\Microsoft\WindowsNT\Audit\audit.csv which needs to be deleted for the machine to receive the group policy again.  Delete the file and to a gpupdate /force and that should do it.
0
 

Author Comment

by:bankwest
ID: 39218932
The server in question.   I have C:\windows\system32\GroupPolicy\Machine and then the next folder (only one) is Scripts.

I did a search for audit.csv and find it in 3 locations:

C:\Windows\Security\audit
C:\Windows\SYSVOL\domain\Policies\
C:\Windows\SYSVOL\sysvol\bwok.local\Policies\

They are all from 2012.

Delete all of them?
0
 
LVL 2

Accepted Solution

by:
oliverbob earned 500 total points
ID: 39221999
Mostly these error takes place when on the audit policy the SACL setting was changed.

I'm not soo sure but, the reason is, because the change itself might affect whether or not the audit is generated.  Usually in Windows, we generate audit after the operation that we are auditing, is performed.  When we generate audit, we always check audit policy to see if we need to generate an event.

Delete the file and to a gpupdate /force and that should do it.  

c:\windows\system32\GroupPolicy\Machine\Microsoft\WindowsNT\Audit\audit.csv

Contains :

Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value

I hope I'm clear.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question