Audit GPO is not applied in server 2012R2

PramoIT
PramoIT used Ask the Experts™
on
Hi,

We have a couple of server 2012 R2 server in a domain. The GPO settings get applied successfully, except the audit GPO settings. They don't get applied. This is the case for the basic (categorie) audit settings as well as for the advance (sub categories) audit settings (when "Force audit policy subcategorie settings......" is enabled).

When I run RSOP it says that the policy is set, but when i look in lokal security policy it doesn't have the audit settings applied.

Any help is appreciated.

Regards,
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
"when i look in lokal security policy it doesn't have the audit settings applied." - the changes don't reflect in there, that is normal.
To see whether they applied, use
gpresult /h %temp%\results.html /f & %temp%\results.html

Open in new window

Author

Commented:
Hi,

On other servers (other domain) I can see the settings are reflected in local securuty policy and they are greyed out.

When I run that command I can see in the RSOP that all settings are applied, but in reality they aren't. Account logons are not logged in the windows event logs.
Distinguished Expert 2018

Commented:
Name one example of a GPO that gpresult shows as being applied and where the corresponding entries are not being greyed out.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
they are greyed out, but not set. My main concern is that the policy looks like it is applied, but in reality they are not.
Distinguished Expert 2018

Commented:
Being greyed out at the local gpedit.msc means they are definitely in effect, so don't worry and simply try out if those things are being logged that you turned logging on for.
Tech Lead
Commented:
Seems like there was an internal mismatch of the GUIDs

For testing try this:

Set every advanced audit configuration item to "Not configured"
Run gpupdate /force on the relevant systems
Re-set all advanced audit configuration according to your requirements

https://blogs.technet.microsoft.com/askds/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2/

https://www.lepide.com/how-to/enable-active-directory-security-auditing.html

https://technet.microsoft.com/en-us/library/dd408940(v=ws.10).aspx

Hope this helps!
Distinguished Expert 2018

Commented:
Ajit, could you please explain what makes you think there is an "internal mismatch"?
What the author reports is perfectly normal and the reason for this question is that the author assumes that GPOs will be reflected in the local gpedit.msc - which is not true.
E ATech Lead

Commented:
As author applying and its not showing. So i was just guessing may be something enforcing thst's why i have written just for testing.

May be I am wrong here..
Distinguished Expert 2018

Commented:
"its not showing" - it is showing the way it should: by seeing greyed out options to edit the local policies in gpedit.msc we can confirm that these domain GPOs are being applied normally.
E ATech Lead

Commented:
I missed, thanks for letting me..

Author

Commented:
Hi McKnife, what i'm trying to explain is that the audit gpo is not applied. There is nothing audited in the security log. No account logons (success and failure).

@Ajit, I wil try that and let you know.
Distinguished Expert 2018

Commented:
Account logons of domain accounts are not logged locally but instead on the domain controller. Could that be the "problem"?

Author

Commented:
Hi McKnife,

We have several other domains where domain accounts logons are logged on the machine (terminal server) where users log on to.

Anyway, I have set all the gpo audit settings to Not Configured. Did a gpupdate /force on the machine and then set the audit policies again. That worked.

Thanks for the help.
Jeremy WeisingerSenior Network Consultant / Engineer

Commented:
If it's a domain account the Account Logon event is the credential validation and needs to happen on a domain controller. Logon events happen on the machine where the session is establised. (like logging onto the desktop)

If you see Account Logon events on a non-DC computer, it is for a local account.

More info: https://blogs.msdn.microsoft.com/ericfitz/2005/08/04/deciphering-account-logon-events/

Author

Commented:
Maybe it's my ignorance, but see attached screen shot. These are events on a terminal server (so not a dc) and these events log logon and logoff events of domain accounts.

These are the events i missed before the problem was solved.

So what do you mean by "If you see Account Logon events on a non-DC computer, it is for a local account.". These are domain accounts, aren't they?
Capture.JPG
Jeremy WeisingerSenior Network Consultant / Engineer

Commented:
Logon and Logoff events are different than Account Logon events. The link I posted describes the difference between the two.

Account Logon events are the validation of the credentials. These occur on the source of authority for the account. (so if it's a domain account it will occur on a domain controller)
Logon/Logoff events pertain to the session. Those occur where the session is. (so on the terminal server, even if it's a domain account)

The reason we're pointing out the difference is because the audit policies are different. So when configuring, you need to configure the logon/logoff settings. If you only configured the Account Logon audit policy and the forced the rest of the settings then that would explain why you weren't getting the logon/logoff events.

Author

Commented:
Ok, i understand. I had and have both logon/logoff and account logon/logoff enabled for auditing.

So the initial problem was that the logon /logoff didn’t get applied.

Thanks for the help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial