Windows 2008 R2 Configuring Advanced Audit Policy Configuration not updating as expected

We have a Windows 2008 Domain, with Audit policy settings configured in the Default Domain Controller policy and applied to the DC’s in the environment.  We had a requirement to make some additional adjustments to the auditing policy, and on each DC, went under the Local Security Policy>Advanced Audit Policy Configuration to make some changes.  When reviewing the Local Policy>Audit Policy, the settings now display as ‘No Auditing’, and options to change these settings are greyed out.  Log files started filling up on the DC, so I removed the settings under the Advanced Audit Policy Configuration.

On our primary Domain Controller, I went and set the Audit: Force audit policy subcategory setting (Windows Vista or later)… ‘disabled’; removed the settings from the Advanced Audit Policy Configuration, ran gpupudate /force and everything is back as it was prior to making the additional advanced settings.

I did the same on the other domain controllers, however these are not reverting back the Local Policies>Audit Policy to reflect the Security Settings as ‘Success,Failure’.  Ran: auditpol.exe /get /category:* prior to changing anything with response of  Success/Failure, now displays as ‘No Auditing’

I’m not sure at this point on the other DC’s if the GPO is somehow not updating or some local setting is still present and not allowing the settings to revert back.

I apologize in advance for the lengthy question.

Thank you,
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
if it is 'greyed' out that means it is managed by group policy.
trinity2007Author Commented:
Correct, as the Default Domain Controllers Policy has the setting configured as Success,Failure  under Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>Audit Policy.   However, I'm not seeing 'Success,Failure' on the other Domain Controllers, when checking the Local Policy, gpresult and running auditpol.exe /get /category:*.  RSOP.msc shows the correct settings.
As far as I know the only setting that was changed was the Advanced Configuration Settings, which I removed..unless another change was made I'm not aware of.
trinity2007Author Commented:
Verified all policies are being applied, obviously cannot edit the local security policy as the server knows it is being administered to by GPO.  Forced replication and gpupdate /force.  The local security policy on the Primary DC is in sync, other DC's out of sync.  Did a little more digging and found  the following link:

Deleted the audit.csv file (which had nothing in it), rebooted the servers, re-ran gpupdate /force and all is well.

Hope this helps someone else.

Thank you,

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
trinity2007Author Commented:
Found resolution to issue:

 Deleted the audit.csv file (which had nothing in it), rebooted the servers, re-ran gpupdate /force and all is well.

I hope this is the information you need for review.
Thank you,
trinity2007Author Commented:
Issue resolved with further research
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.