Windows Server 2008
--
Questions
--
Followers
Top Experts
Windows Security
I am getting an Event ID 4719 stating that the local audit policy changed. (Server 2008 r2). When I look at the event viewer for this event, Here is what the details say: How am I suppose to find out WHAT THE CHANGE was? I have ALOT of these entries. Is this normal?
+ System
- Provider
[ Name] Microsoft-Windows-Security
[ Guid] {54849625-5478-4994-A5BA-3
EventID 4719
Version 0
Level 0
Task 13568
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2013-06-03T15:24:53.018875
EventRecordID 101732465
Correlation
- Execution
[ ProcessID] 912
[ ThreadID] 7712
Channel Security
Computer bones.bwok.local
Security
- EventData
SubjectUserSid S-1-5-18
SubjectUserName BONES$
SubjectDomainName BWOK
SubjectLogonId 0x3e7
CategoryId %%8280
SubcategoryId %%14339
SubcategoryGuid {0CCE9242-69AE-11D9-BED3-5
AuditPolicyChanges %%8448, %%8450
+ System
- Provider
[ Name] Microsoft-Windows-Security
[ Guid] {54849625-5478-4994-A5BA-3
EventID 4719
Version 0
Level 0
Task 13568
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2013-06-03T15:24:53.018875
EventRecordID 101732465
Correlation
- Execution
[ ProcessID] 912
[ ThreadID] 7712
Channel Security
Computer bones.bwok.local
Security
- EventData
SubjectUserSid S-1-5-18
SubjectUserName BONES$
SubjectDomainName BWOK
SubjectLogonId 0x3e7
CategoryId %%8280
SubcategoryId %%14339
SubcategoryGuid {0CCE9242-69AE-11D9-BED3-5
AuditPolicyChanges %%8448, %%8450
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
This issue occurs mostly when there is an audit .csv file in the following location c:\windows\system32\GroupP
The server in question. I have C:\windows\system32\GroupP
I did a search for audit.csv and find it in 3 locations:
C:\Windows\Security\audit
C:\Windows\SYSVOL\domain\P
C:\Windows\SYSVOL\sysvol\b
They are all from 2012.
Delete all of them?
I did a search for audit.csv and find it in 3 locations:
C:\Windows\Security\audit
C:\Windows\SYSVOL\domain\P
C:\Windows\SYSVOL\sysvol\b
They are all from 2012.
Delete all of them?
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Windows Server 2008
--
Questions
--
Followers
Top Experts
Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.