Windows 10 Pro : Advanced Audity Policy Configuration - secpol vs auditpol

Question

On a Fresh installation of Windows 10 Professional, stand alone I've to set some Advanced Audit Policy Configuration - System Audit Policies - Local Group.
If i use graphic interface secpol (with administrator rights) all works well and i see a .csv is created in
c:\windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csv containing the modified policies. When i restart windows all work well.

Using command line (with administration rights)
by auditpol.exe i see the correct policies:
auditpol.exe /get /category:*

So i tried to change a policy from command line using :
auditpol /set subcategory:"Logon" /success:enable /failure:enable

by auditpol.exe i see the updated correct policy
Now i force policies update by:
gpupdate /force

Then i reboot the machine and the policy update by hand with auditpol.exe is override by the
previous value (it was set by secpol.msc) and the c:\windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csv doesn't contain the new value.
So : Is it possible to override a value previous set by secpol.msc with the command auditpol.exe ?
Is there any example ? I searched online without success.
Or is there a way to modify by a shell script the c:\windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csv file ?

Answer 1

Hello there,

If we use Advanced Audit Policy Configuration settings, we should enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override the audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored. So we have applied this policy and this policy is successfully applied.

This article helps fix an issue where audit policy settings with AuditPol and the Local Security Policy (SECPOL.msc) show different results.

AuditPol and Local Security Policy results may differ https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/auditpol-local-security-policy-results-differ

A similar discussion can be found in this thread. Advance Audit Policy no longer applying after running auditpol.exe /clear https://learn.microsoft.com/en-us/answers/questions/123130/advance-audit-policy-no-longer-applying-after-runn.html

--------------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer–

Answer 2

Sorry but, even if i enable the registry key, this has no effect. After reboot everything is reset to previous.

Answer 3

Hello GAsko-8926,

Thank you for posting in our Q&A forum.

After my check and review, please check two points:

First:

It is missing a “/” in following command.

The correct one should be:

auditpol /set /subcategory:Logon /success:enable /failure:enable

Would you please check that whether you have indeed successfully set the advanced audit policy using the auditpol command?

Second:
Please try the same operations on one server machine to see if the same result.

I can see it applies to Windows server from the link below.

auditpol set
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol-set

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 4

Yes sorry / missing on this post not on my machine command.
Ok i will try on a server machine
Thanks