Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Windows Security

Posted on 2013-06-03
3
1,936 Views
Last Modified: 2013-06-05
I am getting an Event ID 4719 stating that the local audit policy changed.   (Server 2008 r2).  When I look at the event viewer for this event, Here is what the details say:   How  am I suppose to find out WHAT THE CHANGE  was?   I have ALOT of these entries.   Is this normal?
+ System

  - Provider

   [ Name]  Microsoft-Windows-Security-Auditing
   [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D}
 
   EventID 4719
 
   Version 0
 
   Level 0
 
   Task 13568
 
   Opcode 0
 
   Keywords 0x8020000000000000
 
  - TimeCreated

   [ SystemTime]  2013-06-03T15:24:53.018875000Z
 
   EventRecordID 101732465
 
   Correlation
 
  - Execution

   [ ProcessID]  912
   [ ThreadID]  7712
 
   Channel Security
 
   Computer bones.bwok.local
 
   Security
 

- EventData

  SubjectUserSid S-1-5-18
  SubjectUserName BONES$
  SubjectDomainName BWOK
  SubjectLogonId 0x3e7
  CategoryId %%8280
  SubcategoryId %%14339
  SubcategoryGuid {0CCE9242-69AE-11D9-BED3-505054503030}
  AuditPolicyChanges %%8448, %%8450
0
Comment
Question by:bankwest
3 Comments
 
LVL 4

Expert Comment

by:Rsilva98
ID: 39217681
This issue occurs mostly when there is an audit .csv file in the following location c:\windows\system32\GroupPolicy\Machine\Microsoft\WindowsNT\Audit\audit.csv which needs to be deleted for the machine to receive the group policy again.  Delete the file and to a gpupdate /force and that should do it.
0
 

Author Comment

by:bankwest
ID: 39218932
The server in question.   I have C:\windows\system32\GroupPolicy\Machine and then the next folder (only one) is Scripts.

I did a search for audit.csv and find it in 3 locations:

C:\Windows\Security\audit
C:\Windows\SYSVOL\domain\Policies\
C:\Windows\SYSVOL\sysvol\bwok.local\Policies\

They are all from 2012.

Delete all of them?
0
 
LVL 2

Accepted Solution

by:
oliverbob earned 500 total points
ID: 39221999
Mostly these error takes place when on the audit policy the SACL setting was changed.

I'm not soo sure but, the reason is, because the change itself might affect whether or not the audit is generated.  Usually in Windows, we generate audit after the operation that we are auditing, is performed.  When we generate audit, we always check audit policy to see if we need to generate an event.

Delete the file and to a gpupdate /force and that should do it.  

c:\windows\system32\GroupPolicy\Machine\Microsoft\WindowsNT\Audit\audit.csv

Contains :

Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value

I hope I'm clear.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

How do we balance the user experience (UX) with reasonable security measures? It can be done, if you keep these fundamentals in mind.
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question