Server 2012 R2 Security Log Event Viewer not logging

Bash used Ask the Experts™
I built a 2012 R2 server which is acting as a DC, DNS, KMS and CA. The Group Policy settings for Default Domain Controllers are as per the attachment yet the security event log shows only a handful of events despite there being numerous issues with one user account being locked out - I have twice gone through the steps: disabling the event log service, rebooting, renaming the security event log file, re-enabling the service and re-booting
which generates a new security event viewer log file but no entries appear after the initial logs.  See attachment.

The server is hit by 2 GPO's, DDC and DD. Event logs settings attached.

The GPO's were migrated to this domain from another.

Any further ideas?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Do a rsop.msc on your run window and check to see if your GPO have been applied to this DC.


Yup did that originally and they are being applied
Christopher Jay WolffWiggle My Legs, Owner


I'm new with this but was reading and would like to learn.  This article below led me to think this.  His location is different than yours I think or I just don't understand.  I looked at your screens and it seems like I want to look in the one labeled "...Security Options"  which I believe remains closed in all screens you provided.  It sounds like everything is doing what it is set to do, but it is set incorrectly maybe for what you want?

This article describes advice on setting up for auditing for security.  As he says, deciding to audit is easy, the harder choice is deciding what to audit.

 What do you think?
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

Christopher Jay WolffWiggle My Legs, Owner

From a video I just saw the "Advanced Audit Policy Configuration" is way down below "Local Policies"

What I did is sign up for an instant webinar and downloaded it a couple minutes ago and in the first 4 minutes I think it is saying you might be looking at the wrong audit settings.

The link has a form, I filled it out, they emailed me the .wmv of the webinar and it's pretty good.

Do you think this is the right track?

Hope so.  :-)
Have been looking at this further via a different avenue as we were having NTLM issues - On another 2012 R2 server I saw the same behavior - it was one I built around the same time and imported the same GPO settings too yet when I ran a auditpol /get it showed all settings as not defined whereas in Local Policies they are. Setting these to Success and Failure in Advanced Audit generates entries in the security log .

I'll take a look at the video but if this is the case as above does this mean we have to deal with event log configuration via GPO in Server 2012 R2 in a different way than we are used to? I didn't get that memo!
Christopher Jay WolffWiggle My Legs, Owner
No experience here.

That is definitely what the video says.  To paraphrase, Server 2008 and later you'll want to configure GPO to force advanced audit, then your options under advanced offer much greater specifics for what you want to audit.  It appears in the video that using the GP Management Editor, selecting Local Policies, Security Options, lets you see Policies in the right panel where you should find...

Audit:  Force audit policy subcategory settings

Once you have that enabled, then go to Advanced Audit and make your choices.  He calls the regular audit options "legacy" for prior to Server 2008.  I only watched the first four minutes of the video to get this, and you can jump to minute two or so.  I'll see if I can get this guy to send you the memo.  :-)
So I found the below explicitly stated in addition to the info provided earlier -

'as soon as you start applying Advanced Audit Configuration Policy, legacy policies will be completely ignored.' From:

If you use advanced audit, don't bother configuring the local policy\audit policy setting as it will be ignored once you set the policy for enabling advanced audit which is:

“Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings”

Thanks for setting me in the right direction. All logging as expected now.

And don't forget to enable winlog.log to be generated on newly built DC's via the registry key (another thing I'd missed)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}
Click the key ExtensionDebugLevel and enter 2


Expert comment set me in the right direction but I ha to find out further information and conduct further verification myself to confirm behaviour was as described.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial