bankwest
asked on
Windows Security
I am getting an Event ID 4719 stating that the local audit policy changed. (Server 2008 r2). When I look at the event viewer for this event, Here is what the details say: How am I suppose to find out WHAT THE CHANGE was? I have ALOT of these entries. Is this normal?
+ System
- Provider
[ Name] Microsoft-Windows-Security -Auditing
[ Guid] {54849625-5478-4994-A5BA-3 E3B0328C30 D}
EventID 4719
Version 0
Level 0
Task 13568
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2013-06-03T15:24:53.018875 000Z
EventRecordID 101732465
Correlation
- Execution
[ ProcessID] 912
[ ThreadID] 7712
Channel Security
Computer bones.bwok.local
Security
- EventData
SubjectUserSid S-1-5-18
SubjectUserName BONES$
SubjectDomainName BWOK
SubjectLogonId 0x3e7
CategoryId %%8280
SubcategoryId %%14339
SubcategoryGuid {0CCE9242-69AE-11D9-BED3-5 0505450303 0}
AuditPolicyChanges %%8448, %%8450
+ System
- Provider
[ Name] Microsoft-Windows-Security
[ Guid] {54849625-5478-4994-A5BA-3
EventID 4719
Version 0
Level 0
Task 13568
Opcode 0
Keywords 0x8020000000000000
- TimeCreated
[ SystemTime] 2013-06-03T15:24:53.018875
EventRecordID 101732465
Correlation
- Execution
[ ProcessID] 912
[ ThreadID] 7712
Channel Security
Computer bones.bwok.local
Security
- EventData
SubjectUserSid S-1-5-18
SubjectUserName BONES$
SubjectDomainName BWOK
SubjectLogonId 0x3e7
CategoryId %%8280
SubcategoryId %%14339
SubcategoryGuid {0CCE9242-69AE-11D9-BED3-5
AuditPolicyChanges %%8448, %%8450
This issue occurs mostly when there is an audit .csv file in the following location c:\windows\system32\GroupP olicy\Mach ine\Micros oft\Window sNT\Audit\ audit.csv which needs to be deleted for the machine to receive the group policy again. Delete the file and to a gpupdate /force and that should do it.
ASKER
The server in question. I have C:\windows\system32\GroupP olicy\Mach ine and then the next folder (only one) is Scripts.
I did a search for audit.csv and find it in 3 locations:
C:\Windows\Security\audit
C:\Windows\SYSVOL\domain\P olicies\
C:\Windows\SYSVOL\sysvol\b wok.local\ Policies\
They are all from 2012.
Delete all of them?
I did a search for audit.csv and find it in 3 locations:
C:\Windows\Security\audit
C:\Windows\SYSVOL\domain\P
C:\Windows\SYSVOL\sysvol\b
They are all from 2012.
Delete all of them?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.