About the audit log of the domain controller

ryosk25 521 Reputation points
2022-02-16T09:28:27.947+00:00

Windows Server 2019: I am operating a Domain Controller.

I have enabled the audit settings below, but after a certain period of time, the settings return to the default settings.

Policy / Windows Settings / Security Settings / Local Policy / Audit Policy
Account management audit
Define the settings for these policies
Success: Valid
Failure: Valid

Auditing directory service access
Define the settings for these policies
Success: Valid

Do you know any possible causes or remedies?
Thank you.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,465 questions
Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,759 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,885 questions
Windows Server Migration
Windows Server Migration
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Migration: The process of making existing applications and data work on a different computer or operating system.
408 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,356 Reputation points
    2022-02-17T15:35:36.187+00:00

    Hello @ryosk25

    You may need to check the Default Domain Controllers Policy: A default GPO that is automatically created and linked to the domain whenever a server is promoted to a domain controller. This GPO represents the default policy that is applied to all domain controllers in the Domain Controllers container. Since the domain policies prevail over local policies, they will rewrite your settings.

    To edit this GPO you need to enter the group policy management console from the DC (running GPEDIT from elevated command prompt) and find the GPO from the folders in the left side menu. Once these policies are applied there, will not revert.

    More information about precedence and group policy hierarchy: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpod/566e983e-3b72-4b2d-9063-a00ebc9514fd

    Hope this helps with your query,

    --
    --If the reply is helpful, please Upvote and Accept as answer--

  2. Clément BETACORNE 2,031 Reputation points
    2022-02-17T16:26:58.05+00:00

    Hello @ryosk25 ,

    You should check if you have a GPO that override your setting by using gpresult /H gpreport.html.
    If it's the case you should create a new GPO linked on the domain controllers OU with a precedence of 1 if possible by using group policy management console (GPMC.MSC) and configure the audit settings as you wish

    Regards,