Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Group Policy applying but not changing settings :(

Posted on 2015-01-15
3
Medium Priority
?
1,567 Views
Last Modified: 2015-01-21
Thank you for this urgent help. Auditors checking this out tomorrow morning.

We have a GPO that sets the eventlog audit settings for success or failure security events. The scope is set to Authenticated Users.

When I run the group policy wizard in GPMC it shows the settings applying to one of our servers in that OU.

When I run gpresult/z from that server it shows the policy applying to that server.

But when I go into gpedit.msc the security audit settings are all set to "not defined" and they are grayed out so I can't edit them manually.

As a test I set the GPO to deny applying to that server. I ran gpudpate/force on the system and then gpresult and it shows the GPO now not applying. But the settings are still set to not defined and still not editable. they are not being set by any other GPO.

In the event logs I only see three GPO errors but they are unrelated. A separate GPO is having issues creating user accounts. No other GPOs apply.

Quick help would be fantastic.

Server runs on Windows Server 2008 R2 (I can edit GPO but not the domain ones and I don't have access to the domain controllers).
0
Comment
Question by:DITGUY
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 24

Expert Comment

by:VB ITS
ID: 40552830
But when I go into gpedit.msc the security audit settings are all set to "not defined" and they are grayed out so I can't edit them manually.
There's your problem. gpedit.msc is used to modify the Local Computer Policy, not policies in Group Policy. You need to use the Group Policy Management Console (or GPMC for short) to modify the Group Policies.

If you don't have access to the Domain Controller and need to modify GPOs from your 2008 R2 server then you can install the GPMC through Server Manager. See this article for the steps to do this: http://technet.microsoft.com/en-us/library/cc725932.aspx
0
 

Accepted Solution

by:
DITGUY earned 0 total points
ID: 40553324
OK, After several hours I figured it out. Turns out there's bugs and odd functionality.

If someone ever tested the 'advanced audit settings' (which I did in the same GPO at some point) then it sets a registry key to disable the use of the older basic audit settings. But when you stop using those advanced settings in your GPO it doesn't remove that registry bit. So I used the GPO to undo that setting. This was the first step. This is found Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" to DISABLED.

Even though this is done, sometimes the GPO files on the domain controllers don't remove the old audit settings. So in the comments of another thread I found out you may have to go to \\domain-fqdn\SYSVOL\domain-fqdn\Policies\{your-policy-id-where-this-setting-was-originally-set}\Machine\Microsoft\Windows NT\ and delete the Audit folder which is left behind due to some odd bug. If you don't do this even after doing the next step the next gpupdate will bring that security setting above back down.

Next you have to reset your audit settings on your PC to the defaults. Unfortunately there is no way to do this. Auditpol /clear does not accomplish this. The only way to do this is to take the audit settings from another working system, export them and then 'restore' those same settings to the affected server. To do this:

1. On 'working system' run cmd.exe as administrator and export the audit settings to a folder like this:
auditpol /backup /file:c:\working-auditpol-settings.txt

2. Copy that file to the broken system such as the C:\ drive and run this on the broken system:
auditpol /restore /file:c:\working-auditpol-settings.txt

Open GPEDIT.MSC and verify the audit settings are back to normal. Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy

Then run gpupdate/force on the formerly broken system. Close gpedit.msc and reopen and verify the settings were not overwritten. If you skipped the sysvol audit folder deletion step they may come back.

Hope this helps someone.
0
 

Author Closing Comment

by:DITGUY
ID: 40561590
Figured out answer on my own. See above.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question