question

AkashKujur-8461 avatar image
0 Votes"
AkashKujur-8461 asked Uzhirian-7069 commented

Advance Audit Policy not working in Windows Server 2019

I have been trying to set Advance Audit Policy to our servers through GPO but they are not getting applied. I have already set Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings. to Enabled and also appears in RSOP.msc of the servers. The audit policies are not getting applied however. I ran auditpol.exe /clear and then ran gpupdate /force. Now when I check with auditpol.exe /get /category:* almost all appear as No Auditing.

We are monitoring servers in Azure Security Center and it is recommending us to enable certain Audit policies to be ISO 27001 compliant. But these policies are not getting applied. Please let me know what is the problem here, I will list the audit policies below. The correct GPO is also applied so no question their.

  • Ensure 'Audit Credential Validation' is set to 'Success and Failure'

  • Ensure 'Audit Removable Storage' is set to 'Success and Failure'

  • Ensure 'Audit PNP Activity' is set to 'Success'

  • Ensure 'Audit Security System Extension' is set to 'Success'

  • Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'

  • Ensure 'Audit User Account Management' is set to 'Success and Failure'

  • Audit MPSSVC Rule-Level Policy Change

  • Audit Other Object Access Events


windows-group-policy
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, we are working with teams internally to help solve your issue! I am awaiting a response.

0 Votes 0 ·
AkashKujur-8461 avatar image
0 Votes"
AkashKujur-8461 answered Uzhirian-7069 commented

Everythin has started to work when I moved the settings from custom GPO to Default Domain Policy.

Looks like a bug in Group Policies

· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello,
i have the exact same situation, but on Windows Server 2016 and 2012R2.

Using a custom auditing policy, and setting all the parameters as expected (Force Audit subcategory... = Enabled and all the required Advanced audit policies), then issue a gpupdate /force and auditpol /get /category:* on a test Windows 10 client it does not works, all is set to "No Auditing",

Moving all the auditing settings (i mean the standard audit settings, the force subcategory, and the advanced audit policies) to the Default Domain Policy, then issuing again gpupdate and auditpol it works fine.

So, i can confirm that a custom GPO won't work for the auditing settings.

Definitely, it is a bug with the GPO: if you use a custom, separated GPO for the auditing setting, it won't be applied.

@Microsoft: please advise about this behavior in the GPO, or check if a fix is necessary to be able to create a working custom auditing GPO.

Thank you.
Massimo.

0 Votes 0 ·

Hello, I am wondering if this issue has been resolved. We would like to use a custom GPO for Advanced Auditing Policies for both our Domain Controllers and our Member Servers.

Thanks...Diana

0 Votes 0 ·

Hello Diana,
AFAIK no, I had no evidence of a fix from Microsoft on this issue, which seems clearly a bug.

I have to search if a fix was released, or check in our env if a custom GPO now works.

Hope i will be able to let you know ASAP.

Thank you.
Massimo.

0 Votes 0 ·
Show more comments

Just incase anyone stumbles onto this thread, check for solution to the 'only working in default domain policy' in this thread: https://docs.microsoft.com/en-us/answers/questions/123130/advance-audit-policy-no-longer-applying-after-runn.html

0 Votes 0 ·
HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered MassimoChierici-9579 commented

Hello,

Thank you so much for posting here.

Have you linked the GPO to an OU containing the servers? To check the policy applied or not, we could run gpresult /h C:\report.html to get the group policy report.

If you use Advanced Audit Policy Configuration settings, you should enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.

28100-1.png

More information: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772710(v=ws.10)?redirectedfrom=MSDN

For any question, please feel free to contact us.


Best regards,
Hannah Xiong

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



1.png (59.6 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Link GPO to OU - Yes. As I mentioned, running rsop.msc shows that GPO is applied

Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings - Already said in OP that I have done that. And it shows as Enabled when I run rsop.msc. But under auditpol /get /category:* it is not showing up and Azure Security Center is also reporting that policy has not been set.

0 Votes 0 ·

Hello,
as i wrote answring below, using a custom auditing policy, and setting all the parameters as expected (Force Audit subcategory... = Enabled and all the required Advanced audit policies), then issue a gpupdate /force and auditpol /get /category:* on a test Windows 10 client it does not works, all is set to "No Auditing",

Moving all the auditing settings (i mean the standard audit settings, the force subcategory, and the advanced audit policies) to the Default Domain Policy, then issuing again gpupdate and auditpol it works fine.

So, i can confirm that a custom GPO won't work for the auditing settings.

Definitely, it is a bug with the GPO: if you use a custom, separated GPO for the auditing setting, it won't be applied.
You must use Default Domain Policy and Default Domain Controller Policy to be able to enable and apply the Advanced Auditing settings.

Thank you.
Massimo.

0 Votes 0 ·
HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered HannahXiong-MSFT commented

Hello,

Thank you so much for your kindly reply.

According to our description, the policies are applied to the servers in Azure Security Center. We mainly focus on on-premise AD, as for our issue, I discussed with my AAD colleagues. Did we configure the GPO in AAD domain? Besides, the servers in Azure Security Center are joined to the AAD domain, right?

If there is any misunderstanding, please let me know. Thanks.

If the configuration is correct and the GPO is applied as shown in the gpresult, it is suggested that we could enable GPSVC debug logging to further troubleshoot. 

1.On problematic machine, create the “usermode” folder under “%windir%\debug\” directory. 

2.Create the following registry keys: 

Under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion , create a new Key “Diagnostics” there

3.Then create a new value “GPSvcDebugLevel” under the key “Diagnostics”: 

Entry: GPSvcDebugLevel 
Type: REG_DWORD 
Value data: 30002 (Hexadecimal) 

28714-getimage.png

28479-getimage-1.png


At this point, use the GPSVC analysis blog to get further:

https://blogs.technet.microsoft.com/askds/2015/04/17/a-treatise-on-group-policy-troubleshootingnow-with-gpsvc-log-analysis/   

Please note: Due to forum rules and security considerations, we do not analyze logs here. 

Thank you so much for your understanding and support.



Best regards,
Hannah Xiong



getimage.png (19.4 KiB)
getimage-1.png (19.4 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am getting 404 - Page not found in that url you provided. Can you give me an updated link.

0 Votes 0 ·

Hello,

Thank you so much for your kindly reply.

Here is the link: https://docs.microsoft.com/en-us/archive/blogs/askds/a-treatise-on-group-policy-troubleshootingnow-with-gpsvc-log-analysis

We could have a check whether it works. Thanks so much.

Best regards,
Hannah Xiong

0 Votes 0 ·