0

I have similar problem as it was described in thread below: Audit policy being overwritten by "something"

unfortunately deletion of audit.csv did not help

let me summarize problem: we are using basic auditing in our env, that means settings below is disabled: Audit: Force audit policy subcategory settings (Windows Vita or later) to override audit policy category settings" - DISABLED (no advanced auditing)

when I run gpedit.msc or secpol.msc to check audit policy it looks "NO AUDITING", I found out, when I restore auditing policy from backed up file then it looks as it should be that means for example value "audit account logon events" - success, failer etc and when I run gpupdate /force then it is switched back to "NO AUDITING". I tried to move this settings to default domain policy, but with no success. I tried also many other things, but currently I have no idea.

Can someone help me on this please?

Thank you

Jan kratochvíl
  • 1
  • 1
  • Where are the settings defined, and what are the value of the settings there? – Greg Askew Mar 10 '23 at 13:05
  • Settings are defined in GPO, which is linked to OU where server is sitting. I tried also to move settings to default domain policy, but with no success. When I run gpresult it is visible that the GPO and settings is correctly applied, but when I run gpedit to check it, it looks as"no auditing". I also checked different domain where it looks as it should be, that means, settings is visible in gpedit – Jan kratochvíl Mar 10 '23 at 13:09
  • What does `gpresult /h file.html` show? – Greg Askew Mar 10 '23 at 13:11
  • I do not how to put screen shot, but it looks auditing is set up: example "audit account logon events" - success, failure – Jan kratochvíl Mar 10 '23 at 13:19
  • I would use gpresult. It should be fairly easy to test the audit setting that you need. Is the system *not* auditing any account logons? If it is, I don't see a problem. – Greg Askew Mar 10 '23 at 13:21
  • well HC is set up it reads data from local policy. It should be automatically propagated to local policy (gpedit). The reason is if there are some local policy and different domain policy it takes both together. – Jan kratochvíl Mar 10 '23 at 13:24
  • strange is it works in my different domain, so there has to be something wrong – Jan kratochvíl Mar 10 '23 at 13:24
  • If auditing is working, perhaps you should clarify the question so that you can use the Local Policy Editor to view Group Policy Settings. That seems to be what you want. – Greg Askew Mar 10 '23 at 13:28
  • ok I will check if it is auditing and will come back Thanks – Jan kratochvíl Mar 10 '23 at 13:29
  • anyway I will need to fix this problem no matter it is auditing or not – Jan kratochvíl Mar 10 '23 at 13:38
  • I found event 4624 - Audit logon events, that means it is auditing, but I need to fix this problem, because HC presents this as violations: gpedit (local policy) => Audit logon events - no auditing – Jan kratochvíl Mar 10 '23 at 14:08
  • Hello, good morning, can we start on this topic again please? – Jan kratochvíl Mar 13 '23 at 09:00
  • update: I have found there are records in event log related to audit policy change. First it is added by group policy object (it is as it should be) and then there are another recoreds in event log 4719 audting removed. Really do not know why, but at least I know it is removed by system account... – Jan kratochvíl Mar 14 '23 at 14:14

0 Answers0