Avatar of PramoIT
PramoIT
Flag for Netherlands asked on

Audit GPO is not applied in server 2012R2

Hi,

We have a couple of server 2012 R2 server in a domain. The GPO settings get applied successfully, except the audit GPO settings. They don't get applied. This is the case for the basic (categorie) audit settings as well as for the advance (sub categories) audit settings (when "Force audit policy subcategorie settings......" is enabled).

When I run RSOP it says that the policy is set, but when i look in lokal security policy it doesn't have the audit settings applied.

Any help is appreciated.

Regards,
Windows OSActive DirectorySecurity

Avatar of undefined
Last Comment
PramoIT

8/22/2022 - Mon
McKnife

"when i look in lokal security policy it doesn't have the audit settings applied." - the changes don't reflect in there, that is normal.
To see whether they applied, use
gpresult /h %temp%\results.html /f & %temp%\results.html

Open in new window

PramoIT

ASKER
Hi,

On other servers (other domain) I can see the settings are reflected in local securuty policy and they are greyed out.

When I run that command I can see in the RSOP that all settings are applied, but in reality they aren't. Account logons are not logged in the windows event logs.
McKnife

Name one example of a GPO that gpresult shows as being applied and where the corresponding entries are not being greyed out.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
PramoIT

ASKER
they are greyed out, but not set. My main concern is that the policy looks like it is applied, but in reality they are not.
McKnife

Being greyed out at the local gpedit.msc means they are definitely in effect, so don't worry and simply try out if those things are being logged that you turned logging on for.
ASKER CERTIFIED SOLUTION
Ajit Singh

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
McKnife

Ajit, could you please explain what makes you think there is an "internal mismatch"?
What the author reports is perfectly normal and the reason for this question is that the author assumes that GPOs will be reflected in the local gpedit.msc - which is not true.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Ajit Singh

As author applying and its not showing. So i was just guessing may be something enforcing thst's why i have written just for testing.

May be I am wrong here..
McKnife

"its not showing" - it is showing the way it should: by seeing greyed out options to edit the local policies in gpedit.msc we can confirm that these domain GPOs are being applied normally.
Ajit Singh

I missed, thanks for letting me..
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
PramoIT

ASKER
Hi McKnife, what i'm trying to explain is that the audit gpo is not applied. There is nothing audited in the security log. No account logons (success and failure).

@Ajit, I wil try that and let you know.
McKnife

Account logons of domain accounts are not logged locally but instead on the domain controller. Could that be the "problem"?
PramoIT

ASKER
Hi McKnife,

We have several other domains where domain accounts logons are logged on the machine (terminal server) where users log on to.

Anyway, I have set all the gpo audit settings to Not Configured. Did a gpupdate /force on the machine and then set the audit policies again. That worked.

Thanks for the help.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Jeremy Weisinger

If it's a domain account the Account Logon event is the credential validation and needs to happen on a domain controller. Logon events happen on the machine where the session is establised. (like logging onto the desktop)

If you see Account Logon events on a non-DC computer, it is for a local account.

More info: https://blogs.msdn.microsoft.com/ericfitz/2005/08/04/deciphering-account-logon-events/
PramoIT

ASKER
Maybe it's my ignorance, but see attached screen shot. These are events on a terminal server (so not a dc) and these events log logon and logoff events of domain accounts.

These are the events i missed before the problem was solved.

So what do you mean by "If you see Account Logon events on a non-DC computer, it is for a local account.". These are domain accounts, aren't they?
Capture.JPG
Jeremy Weisinger

Logon and Logoff events are different than Account Logon events. The link I posted describes the difference between the two.

Account Logon events are the validation of the credentials. These occur on the source of authority for the account. (so if it's a domain account it will occur on a domain controller)
Logon/Logoff events pertain to the session. Those occur where the session is. (so on the terminal server, even if it's a domain account)

The reason we're pointing out the difference is because the audit policies are different. So when configuring, you need to configure the logon/logoff settings. If you only configured the Account Logon audit policy and the forced the rest of the settings then that would explain why you weren't getting the logon/logoff events.
Your help has saved me hundreds of hours of internet surfing.
fblack61
PramoIT

ASKER
Ok, i understand. I had and have both logon/logoff and account logon/logoff enabled for auditing.

So the initial problem was that the logon /logoff didn’t get applied.

Thanks for the help.