This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 12%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
I was troubleshooting some advance group policy issue, some were getting applied some were not. So I ran auditpol.exe /clear in the problematic machine once. And now the advance audit policies are not getting applied even after I run repeated gpupdates & system reboots.
How can I enable Advance Auditing back after running clear command.
The machine is Windows Server 2019
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 17%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
As I did the same mistake. As everything was working fine but I run the advanced police. With that I lost alot of philips remote codes files. Now After that I also run the auto configuration of it but haven't recovered the system. With that I also cleared the extra policy configuration but all in vain. At the end I contacted to their support. The support team is quite humble. They guide me through a proper sequence by deleting some extra file the system start proper working and my lost data get recovered. So contact to the support team for better solution.
I got the answer to the problem. Advance Audit policies are only working from Default Domain Policy. If I do the settings on a separate GPO, it is not applying even if I enforce the GPO. Both GPOs are applied on the top domain level, the custom GPO works for other settings but fails for Advance auditing. When the settings are shifted to Default Domain Policy, auditing starts working.
This looks like bug which Microsoft may want to look at or is their any specific reason why this happens.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 42%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDT%3C/text%3E%3C/svg%3E)
Advanced Auditing will not work at all if the "Default Domain Policy" is missing its audit.csv file in the SYSVOL folder
{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\Audit
Even policies set locally via secpol.msc won't work!
To restore the audit.csv file, simply edit the "Default Domain Policy" and set any advanced audit setting. This recreates the audit.csv file in the SYSVOL path and you can immediately revert the change to the "Default Domain Policy".
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 80%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBR%3C/text%3E%3C/svg%3E)
That explains it David. Thanks for passing that on.
-Brent (formerly Brenticus-4216)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 60%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EU%3C/text%3E%3C/svg%3E)
Absolutely this. Thanks for dropping that info here, I was getting ready to murder something, so you saved an innocent life haha.
To resolve, here's the full process I used (DavidTrevor's answer + extra steps):
issue: Custom GPO wasnt showing advanced audit settings or working when GPO applied to device.
Solution:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 3%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJG%3C/text%3E%3C/svg%3E)
Thanks! Just ran into this issue and fixed it thanks to this post :)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hello,
Thank you so much for posting here.
According to our description, we have configured the Advanced Audit policies, and some got applied while some were not. That is to say, there is nothing wrong with the configuration since some got applied. We are wondering whether this GPO is only not applied on the Windows server 2019 machine?
Besides, we mentioned that all other policies in that GPO do get applied. So in the same GPO, there are other policies except the advanced audit policies.
Once we used the Advanced audit policy in the system, the legacy audit policy will not be used by this system. So as mentioned, legacy audit policy is disabled.
Generally we can check if the GPOs are applied via the gpresult. But it is not suitable and accurate to the audit policies. We check the audit policies applying result via the auditpol command:
auditpol /get /category:*
After running the command auditpol.exe /clear, the audit polices will clear. Then we could run gpupdate /force and then the audit policies will come back. For example:
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
Yea, I have tried that multiple times but it is not coming back.
Below is the result after running auditpol /clear
This is the Group Policy setting from rsop.msc
I have tried the above steps multiple times but its not working in that server.
For GPO permissions under Security Filtering, I have only put a group with Computer Objects (Servers only) and removed Authenticated Users. This is because keeping Authenticated Users was making the policy apply to client Windows 10 machines, so I had to remove them.
Hello,
Thank you so much for posting here.
If we use Advanced Audit Policy Configuration settings, we should enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored. So we have applied this policy and this policy is successfully applied.
The Advanced audit policies are not applied. Would you please kindly run the below command to get the policies report to check whether the specific settings are applied or not? Also please let us know if there is any error messages.
gpresult /h C:\report.html
For example, I configured the advanced audit policies and Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy in the same GPO.
Then check the gpresult report, the settings are applied as shown below.
According to our description, we deployed Security Filtering. We could add the group (which you want to apply the policy) with Read and Apply permission.
For Security Filtering, this Group Policy now applies to only computers that are a member of the security group. However we still need to remember that the computer should be part of the site/domain/OU to which this Group Policy Object is linked. We could kindly have a check about this.
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 92%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Thanks for the explanation - helped a lot.
However I'm still puzzled on where auditpol /set is persisted and where it comes into play in combination with local or domain advanced audit settings.
My experiments tell me that auditpol /set values are ignored when a local policy exists.
Also domain GPO's are only applied if the local machine already have a local policy and an Audit.csv in C:\WINDOWS\system32\GroupPolicy\Machine\Microsoft\Windows NT\Audit
Can you or someone elaborate ?
Thanks
Claus
Hello,
Thank you so much for your feedback.
So glad to hear that the advanced audit settings started working when they were shifted to Default Domain Policy. If we did the settings on a separate GPO, it would still be applied. Below is my test, and we could kindly have a check.
1, Created the OU (such as OU for computers) and added the computers into this OU.
2, Created a GPO and linked to the above OU (The GPO was named Advanced audit policy).
3, Edited the GPO and configured the settings, such as Audit Credential Validation set to Success and Failure, Audit Security System Extension set to success.
4, Logged on to the computer and refresh the group policy via command gpupdate /force.
5, Checked the gpresult that the GPO was applied successfully.
6, Then check the audit policy via command auditpol /get /category:* and we could see that the settings were applied.
7, Last check the Event Viewer, and we could see that some events were logged.
Hope the information is helpful. Thank you so much for your time.
Best regards,
Hannah Xiong