We have a Windows 2008 Domain, with Audit policy settings configured in the Default Domain Controller policy and applied to the DC’s in the environment. We had a requirement to make some additional adjustments to the auditing policy, and on each DC, went under the Local Security Policy>Advanced Audit Policy Configuration to make some changes. When reviewing the Local Policy>Audit Policy, the settings now display as ‘No Auditing’, and options to change these settings are greyed out. Log files started filling up on the DC, so I removed the settings under the Advanced Audit Policy Configuration.
On our primary Domain Controller, I went and set the Audit: Force audit policy subcategory setting (Windows Vista or later)…..to ‘disabled’; removed the settings from the Advanced Audit Policy Configuration, ran gpupudate /force and everything is back as it was prior to making the additional advanced settings.
I did the same on the other domain controllers, however these are not reverting back the Local Policies>Audit Policy to reflect the Security Settings as ‘Success,Failure’. Ran: auditpol.exe /get /category:* prior to changing anything with response of Success/Failure, now displays as ‘No Auditing’
I’m not sure at this point on the other DC’s if the GPO is somehow not updating or some local setting is still present and not allowing the settings to revert back.
I apologize in advance for the lengthy question.