0

I recently discovered that all of our Domain controllers (2008 R2, domain and forest fuctional level is 2008 R2) are no longer logging AD account logon events to the Security Log.

The Default Domain Controllers GPO:

Audit account logon events - Success,Failure

Audit account management events - Success,Failure

Audit directory serfvice access - Success

Audit Account logon events - Success,Failure

Audit system events - Success,Failure

The RSOP shows the above policy as being the winning GPO. Group policy manangement console resulting wizard shows the above policy as the winner as well.

When I run auditpol /get category:* I get the following results:

System audit policy
Category/Subcategory                      Setting
  Logon/Logoff
    Logon                                   No Auditing
    Logoff                                  No Auditing
    Account Lockout                         No Auditing
    IPsec Main Mode                         No Auditing
    IPsec Quick Mode                        No Auditing
    IPsec Extended Mode                     No Auditing
    Special Logon                           No Auditing
    Other Logon/Logoff Events               No Auditing
  Account Management
    User Account Management                 No Auditing
    Computer Account Management             No Auditing
    Security Group Management               No Auditing
    Distribution Group Management           No Auditing
    Application Group Management            No Auditing
    Other Account Management Events         No Auditing
  Account Logon
    Kerberos Service Ticket Operations      No Auditing
    Other Account Logon Events              No Auditing
    Kerberos Authentication Service         No Auditing
    Credential Validation                   No Auditing

All other categories are "No Auditing" as well.

Am I missing anything obvious? Or am I going to have to set the Advanced Audit Policy settings?

Community
  • 1
Graham
  • 33
  • 1
  • 1
  • 6
  • In your GPO what is the setting for Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Security Options / Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings. – Mass Nerder Oct 23 '15 at 16:26
  • It is not set, IE "Not defined" – Graham Oct 26 '15 at 15:39
  • Default value is enabled though. https://technet.microsoft.com/en-us/library/dd772710%28v=ws.10%29.aspx – Mass Nerder Oct 27 '15 at 16:52

1 Answers1

0

You should use the Advanced Audit Policy. They give you better control over what you audit. Here is a link to the difference between the basic policy and advanced policy https://technet.microsoft.com/en-us/library/ff182311%28v=ws.10%29.aspx#BKMK_2

If you need a reference on what options in the Advanced Audit Policy to set refer to a baseline like CIS https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2008_R2_Benchmark_v2.1.0.pdf

Mass Nerder
  • 1,007
  • 5
  • 6