This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 12%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
I have been trying to set Advance Audit Policy to our servers through GPO but they are not getting applied. I have already set Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings. to Enabled and also appears in RSOP.msc of the servers. The audit policies are not getting applied however. I ran auditpol.exe /clear and then ran gpupdate /force. Now when I check with auditpol.exe /get /category:* almost all appear as No Auditing.
We are monitoring servers in Azure Security Center and it is recommending us to enable certain Audit policies to be ISO 27001 compliant. But these policies are not getting applied. Please let me know what is the problem here, I will list the audit policies below. The correct GPO is also applied so no question their.
Hi, we are working with teams internally to help solve your issue! I am awaiting a response.
Everythin has started to work when I moved the settings from custom GPO to Default Domain Policy.
Looks like a bug in Group Policies
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 27%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMC%3C/text%3E%3C/svg%3E)
Hello,
i have the exact same situation, but on Windows Server 2016 and 2012R2.
Using a custom auditing policy, and setting all the parameters as expected (Force Audit subcategory... = Enabled and all the required Advanced audit policies), then issue a gpupdate /force and auditpol /get /category:* on a test Windows 10 client it does not works, all is set to "No Auditing",
Moving all the auditing settings (i mean the standard audit settings, the force subcategory, and the advanced audit policies) to the Default Domain Policy, then issuing again gpupdate and auditpol it works fine.
So, i can confirm that a custom GPO won't work for the auditing settings.
Definitely, it is a bug with the GPO: if you use a custom, separated GPO for the auditing setting, it won't be applied.
@Microsoft: please advise about this behavior in the GPO, or check if a fix is necessary to be able to create a working custom auditing GPO.
Thank you.
Massimo.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 70%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
Hello, I am wondering if this issue has been resolved. We would like to use a custom GPO for Advanced Auditing Policies for both our Domain Controllers and our Member Servers.
Thanks...Diana
Hello Diana,
AFAIK no, I had no evidence of a fix from Microsoft on this issue, which seems clearly a bug.
I have to search if a fix was released, or check in our env if a custom GPO now works.
Hope i will be able to let you know ASAP.
Thank you.
Massimo.
Thanks for your quick reply. I will be attempting to use custom GPOs on afternoon of 2021-10-19, so will find out and let you know.
Thanks...Diana
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 60%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EU%3C/text%3E%3C/svg%3E)
Just incase anyone stumbles onto this thread, check for solution to the 'only working in default domain policy' in this thread: https://learn.microsoft.com/en-us/answers/questions/123130/advance-audit-policy-no-longer-applying-after-runn.html
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hello,
Thank you so much for posting here.
Have you linked the GPO to an OU containing the servers? To check the policy applied or not, we could run gpresult /h C:\report.html to get the group policy report.
If you use Advanced Audit Policy Configuration settings, you should enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.
More information: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772710(v=ws.10)?redirectedfrom=MSDN
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Link GPO to OU - Yes. As I mentioned, running rsop.msc shows that GPO is applied
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings - Already said in OP that I have done that. And it shows as Enabled when I run rsop.msc. But under auditpol /get /category:* it is not showing up and Azure Security Center is also reporting that policy has not been set.
Hello,
as i wrote answring below, using a custom auditing policy, and setting all the parameters as expected (Force Audit subcategory... = Enabled and all the required Advanced audit policies), then issue a gpupdate /force and auditpol /get /category:* on a test Windows 10 client it does not works, all is set to "No Auditing",
Moving all the auditing settings (i mean the standard audit settings, the force subcategory, and the advanced audit policies) to the Default Domain Policy, then issuing again gpupdate and auditpol it works fine.
So, i can confirm that a custom GPO won't work for the auditing settings.
Definitely, it is a bug with the GPO: if you use a custom, separated GPO for the auditing setting, it won't be applied.
You must use Default Domain Policy and Default Domain Controller Policy to be able to enable and apply the Advanced Auditing settings.
Thank you.
Massimo.
Hello,
Thank you so much for your kindly reply.
According to our description, the policies are applied to the servers in Azure Security Center. We mainly focus on on-premise AD, as for our issue, I discussed with my AAD colleagues. Did we configure the GPO in AAD domain? Besides, the servers in Azure Security Center are joined to the AAD domain, right?
If there is any misunderstanding, please let me know. Thanks.
If the configuration is correct and the GPO is applied as shown in the gpresult, it is suggested that we could enable GPSVC debug logging to further troubleshoot.
1.On problematic machine, create the “usermode” folder under “%windir%\debug\” directory.
2.Create the following registry keys:
Under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion , create a new Key “Diagnostics” there
3.Then create a new value “GPSvcDebugLevel” under the key “Diagnostics”:
Entry: GPSvcDebugLevel
Type: REG_DWORD
Value data: 30002 (Hexadecimal)
At this point, use the GPSVC analysis blog to get further:
Please note: Due to forum rules and security considerations, we do not analyze logs here.
Thank you so much for your understanding and support.
Best regards,
Hannah Xiong
I am getting 404 - Page not found in that url you provided. Can you give me an updated link.
Hello,
Thank you so much for your kindly reply.
Here is the link: https://learn.microsoft.com/en-us/archive/blogs/askds/a-treatise-on-group-policy-troubleshootingnow-with-gpsvc-log-analysis
We could have a check whether it works. Thanks so much.
Best regards,
Hannah Xiong