Audit GPO is not applied in server 2012R2

Hi,

We have a couple of server 2012 R2 server in a domain. The GPO settings get applied successfully, except the audit GPO settings. They don't get applied. This is the case for the basic (categorie) audit settings as well as for the advance (sub categories) audit settings (when "Force audit policy subcategorie settings......" is enabled).

When I run RSOP it says that the policy is set, but when i look in lokal security policy it doesn't have the audit settings applied.

Any help is appreciated.

Regards,
PramoITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
"when i look in lokal security policy it doesn't have the audit settings applied." - the changes don't reflect in there, that is normal.
To see whether they applied, use
gpresult /h %temp%\results.html /f & %temp%\results.html

Open in new window

0
PramoITAuthor Commented:
Hi,

On other servers (other domain) I can see the settings are reflected in local securuty policy and they are greyed out.

When I run that command I can see in the RSOP that all settings are applied, but in reality they aren't. Account logons are not logged in the windows event logs.
0
McKnifeCommented:
Name one example of a GPO that gpresult shows as being applied and where the corresponding entries are not being greyed out.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

PramoITAuthor Commented:
they are greyed out, but not set. My main concern is that the policy looks like it is applied, but in reality they are not.
0
McKnifeCommented:
Being greyed out at the local gpedit.msc means they are definitely in effect, so don't worry and simply try out if those things are being logged that you turned logging on for.
0
Ajit SinghCommented:
Seems like there was an internal mismatch of the GUIDs

For testing try this:

Set every advanced audit configuration item to "Not configured"
Run gpupdate /force on the relevant systems
Re-set all advanced audit configuration according to your requirements

https://blogs.technet.microsoft.com/askds/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2/

https://www.lepide.com/how-to/enable-active-directory-security-auditing.html

https://technet.microsoft.com/en-us/library/dd408940(v=ws.10).aspx

Hope this helps!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeCommented:
Ajit, could you please explain what makes you think there is an "internal mismatch"?
What the author reports is perfectly normal and the reason for this question is that the author assumes that GPOs will be reflected in the local gpedit.msc - which is not true.
0
Ajit SinghCommented:
As author applying and its not showing. So i was just guessing may be something enforcing thst's why i have written just for testing.

May be I am wrong here..
0
McKnifeCommented:
"its not showing" - it is showing the way it should: by seeing greyed out options to edit the local policies in gpedit.msc we can confirm that these domain GPOs are being applied normally.
1
Ajit SinghCommented:
I missed, thanks for letting me..
0
PramoITAuthor Commented:
Hi McKnife, what i'm trying to explain is that the audit gpo is not applied. There is nothing audited in the security log. No account logons (success and failure).

@Ajit, I wil try that and let you know.
0
McKnifeCommented:
Account logons of domain accounts are not logged locally but instead on the domain controller. Could that be the "problem"?
1
PramoITAuthor Commented:
Hi McKnife,

We have several other domains where domain accounts logons are logged on the machine (terminal server) where users log on to.

Anyway, I have set all the gpo audit settings to Not Configured. Did a gpupdate /force on the machine and then set the audit policies again. That worked.

Thanks for the help.
0
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
If it's a domain account the Account Logon event is the credential validation and needs to happen on a domain controller. Logon events happen on the machine where the session is establised. (like logging onto the desktop)

If you see Account Logon events on a non-DC computer, it is for a local account.

More info: https://blogs.msdn.microsoft.com/ericfitz/2005/08/04/deciphering-account-logon-events/
0
PramoITAuthor Commented:
Maybe it's my ignorance, but see attached screen shot. These are events on a terminal server (so not a dc) and these events log logon and logoff events of domain accounts.

These are the events i missed before the problem was solved.

So what do you mean by "If you see Account Logon events on a non-DC computer, it is for a local account.". These are domain accounts, aren't they?
Capture.JPG
0
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Logon and Logoff events are different than Account Logon events. The link I posted describes the difference between the two.

Account Logon events are the validation of the credentials. These occur on the source of authority for the account. (so if it's a domain account it will occur on a domain controller)
Logon/Logoff events pertain to the session. Those occur where the session is. (so on the terminal server, even if it's a domain account)

The reason we're pointing out the difference is because the audit policies are different. So when configuring, you need to configure the logon/logoff settings. If you only configured the Account Logon audit policy and the forced the rest of the settings then that would explain why you weren't getting the logon/logoff events.
1
PramoITAuthor Commented:
Ok, i understand. I had and have both logon/logoff and account logon/logoff enabled for auditing.

So the initial problem was that the logon /logoff didn’t get applied.

Thanks for the help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.