Solved

Windows Security

Posted on 2013-06-03
3
1,902 Views
Last Modified: 2013-06-05
I am getting an Event ID 4719 stating that the local audit policy changed.   (Server 2008 r2).  When I look at the event viewer for this event, Here is what the details say:   How  am I suppose to find out WHAT THE CHANGE  was?   I have ALOT of these entries.   Is this normal?
+ System

  - Provider

   [ Name]  Microsoft-Windows-Security-Auditing
   [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D}
 
   EventID 4719
 
   Version 0
 
   Level 0
 
   Task 13568
 
   Opcode 0
 
   Keywords 0x8020000000000000
 
  - TimeCreated

   [ SystemTime]  2013-06-03T15:24:53.018875000Z
 
   EventRecordID 101732465
 
   Correlation
 
  - Execution

   [ ProcessID]  912
   [ ThreadID]  7712
 
   Channel Security
 
   Computer bones.bwok.local
 
   Security
 

- EventData

  SubjectUserSid S-1-5-18
  SubjectUserName BONES$
  SubjectDomainName BWOK
  SubjectLogonId 0x3e7
  CategoryId %%8280
  SubcategoryId %%14339
  SubcategoryGuid {0CCE9242-69AE-11D9-BED3-505054503030}
  AuditPolicyChanges %%8448, %%8450
0
Comment
Question by:bankwest
3 Comments
 
LVL 4

Expert Comment

by:Rsilva98
ID: 39217681
This issue occurs mostly when there is an audit .csv file in the following location c:\windows\system32\GroupPolicy\Machine\Microsoft\WindowsNT\Audit\audit.csv which needs to be deleted for the machine to receive the group policy again.  Delete the file and to a gpupdate /force and that should do it.
0
 

Author Comment

by:bankwest
ID: 39218932
The server in question.   I have C:\windows\system32\GroupPolicy\Machine and then the next folder (only one) is Scripts.

I did a search for audit.csv and find it in 3 locations:

C:\Windows\Security\audit
C:\Windows\SYSVOL\domain\Policies\
C:\Windows\SYSVOL\sysvol\bwok.local\Policies\

They are all from 2012.

Delete all of them?
0
 
LVL 2

Accepted Solution

by:
oliverbob earned 500 total points
ID: 39221999
Mostly these error takes place when on the audit policy the SACL setting was changed.

I'm not soo sure but, the reason is, because the change itself might affect whether or not the audit is generated.  Usually in Windows, we generate audit after the operation that we are auditing, is performed.  When we generate audit, we always check audit policy to see if we need to generate an event.

Delete the file and to a gpupdate /force and that should do it.  

c:\windows\system32\GroupPolicy\Machine\Microsoft\WindowsNT\Audit\audit.csv

Contains :

Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value

I hope I'm clear.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Pop culture is prime bait for hackers seeking to infect user’s computers and mobile devices with malicious malware. Hackers know exactly what the latest trends are online and know how to use them to their advantage.
How do we balance the user experience (UX) with reasonable security measures? It can be done, if you keep these fundamentals in mind.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question