2

My goal is to configure advanced audit policy for file system objects on some Windows machines, such that it overrides group policy. I need this to work for both Windows Server 2008 (R1) and later editions.

From what I've read, this is possible by setting this registry value to 1:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy

And then running this command:

auditpol.exe /set /subcategory:"File System" /success:enable

Am I understanding this correctly, or can advanced auditing policy also be overriden by group policy?

* UPDATE *

I created a couple of VMs and created a test domain, to try this out. It seems it does work, but the setting Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings (which controls SCENoApplyLegacyAuditPolicy) can still be disabled by group policy - and if it is, I can't figure out how to override it such that auditing isn't disabled again at the next gpupdate. Is this possible?

Cocowalla
  • 623
  • 1
  • 5
  • 17
  • I don't see why this is necessary. Audit Policies are build into GPO, aren't they? https://technet.microsoft.com/en-us/library/dd408940%28v=ws.10%29.aspx Your link also states: `In Windows Server 2008 R2 and Windows 7, all auditing capabilities are integrated in Group Policy. This allows administrators to configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU).` – duenni Mar 15 '17 at 10:08
  • @duenni I'm working on some software that needs access to audit data. We want to minimise the configuration burden on our users, so ideally no changes to GPOs would be necessary for the servers our software is deployed to – Cocowalla Mar 15 '17 at 11:33

0 Answers0