0

I just started a new job last week as a software developer and one of the first tasks I was give was to update a script my company sends out to the client laptops. Basically all it is supposed to do is delete a file (which I have written) and update some Advanced Audit Policy Configuration settings.

Now I have never dealt with this part of the system so I am treading in areas I never have before -- so most of what I'm doing is guesswork. What I did find was a auditpol which I can successfully run in cmd to get the results I need. By the way, those changes are:

  • Audit Other Logon/Logoff Events: Success/Failure = enabled
  • Audit Detailed File Share: Failure = enabled
  • Audit MPSSVC Rule-Level Policy Change: Success/Failure = enabled
  • Audit Other Policy Change Events: Success/Failure = enabled
  • Audit MPSSVC Rule-Level Policy Change: Success/Failure = enabled

And Windows should be configured to prevent users from receiving suggestions for third-party or additional programs (policy value found in User Configuration >> Administrative Templates >> Windows Components >> Cloud Content)

I thought auditpol did what I needed it to but it doesn't show up in the policy editor and I'm also told by the people that need it that it's not updating anyway. I've been searching for an answer all day and I haven't made much progress

Dave
  • 61
  • 4
  • The policy editor does not read in or reflect the current settings. There's already a node in policy editor for Advanced Audit Policy configuration, that would be a better choice. – Greg Askew Jun 12 '20 at 19:16
  • So there's no way to merge the settings between auditpol and the editor? And I'm sure it's a better choice, but I'm being asked to code it into a script. I don't understand why the editor doesn't reflect the changes. Seems to be meaningless – Dave Jun 12 '20 at 19:25
  • You should also specify what you mean by `it's not updating`. The validation would be to run `auditpol /get /Category:*`. – Greg Askew Jun 12 '20 at 20:03
  • It isn't updating in the editor, which you already addressed. It is showing correctly by running that auditpol command. However, it does also revert the changes after rebooting – Dave Jun 12 '20 at 20:11
  • I guess I just need to figure out how to make the auditpol settings to persist after a restart. I do have the `Audit: Force audit policy subcategory settings( Windows Vista or later) to override audit policy category settings` enabled but that doesn't seem to do anything – Dave Jun 12 '20 at 20:42

0 Answers0