Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2395
  • Last Modified:

Windows Security

I am getting an Event ID 4719 stating that the local audit policy changed.   (Server 2008 r2).  When I look at the event viewer for this event, Here is what the details say:   How  am I suppose to find out WHAT THE CHANGE  was?   I have ALOT of these entries.   Is this normal?
+ System

  - Provider

   [ Name]  Microsoft-Windows-Security-Auditing
   [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D}
 
   EventID 4719
 
   Version 0
 
   Level 0
 
   Task 13568
 
   Opcode 0
 
   Keywords 0x8020000000000000
 
  - TimeCreated

   [ SystemTime]  2013-06-03T15:24:53.018875000Z
 
   EventRecordID 101732465
 
   Correlation
 
  - Execution

   [ ProcessID]  912
   [ ThreadID]  7712
 
   Channel Security
 
   Computer bones.bwok.local
 
   Security
 

- EventData

  SubjectUserSid S-1-5-18
  SubjectUserName BONES$
  SubjectDomainName BWOK
  SubjectLogonId 0x3e7
  CategoryId %%8280
  SubcategoryId %%14339
  SubcategoryGuid {0CCE9242-69AE-11D9-BED3-505054503030}
  AuditPolicyChanges %%8448, %%8450
0
bankwest
Asked:
bankwest
1 Solution
 
Rsilva98Commented:
This issue occurs mostly when there is an audit .csv file in the following location c:\windows\system32\GroupPolicy\Machine\Microsoft\WindowsNT\Audit\audit.csv which needs to be deleted for the machine to receive the group policy again.  Delete the file and to a gpupdate /force and that should do it.
0
 
bankwestCTO/CashierAuthor Commented:
The server in question.   I have C:\windows\system32\GroupPolicy\Machine and then the next folder (only one) is Scripts.

I did a search for audit.csv and find it in 3 locations:

C:\Windows\Security\audit
C:\Windows\SYSVOL\domain\Policies\
C:\Windows\SYSVOL\sysvol\bwok.local\Policies\

They are all from 2012.

Delete all of them?
0
 
oliverbobCommented:
Mostly these error takes place when on the audit policy the SACL setting was changed.

I'm not soo sure but, the reason is, because the change itself might affect whether or not the audit is generated.  Usually in Windows, we generate audit after the operation that we are auditing, is performed.  When we generate audit, we always check audit policy to see if we need to generate an event.

Delete the file and to a gpupdate /force and that should do it.  

c:\windows\system32\GroupPolicy\Machine\Microsoft\WindowsNT\Audit\audit.csv

Contains :

Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value

I hope I'm clear.
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now