Windows 2019: Audit policy being overwritten by "something"

Jan Kratochvil 1 Reputation point
2023-03-14T14:27:46.5866667+00:00

I have similar problem as it was described in thread below:
https://social.technet.microsoft.com/Forums/windows/en-US/74174afb-46b7-4c4c-b89c-537af3a038a0/audit-event-id-4719-keeps-happening-over-and-over?forum=winserverGP

unfortunately we do not use advanced audit policy.

let me summarize problem: we are using basic auditing in our env, that means settings below is disabled: Audit: Force audit policy subcategory settings (Windows Vita or later) to override audit policy category settings" - DISABLED (no advanced auditing)

when I run gpedit.msc or secpol.msc to check audit policy it looks "NO AUDITING", I found out, when I restore auditing policy from backed up file then it looks as it should be that means for example value "audit account logon events" - success, failer etc and when I run gpupdate /force then it is switched back to "NO AUDITING". I tried to move this settings to default domain policy, but with no success.
I tried to move auditing to advanced auditing and it works, but when I move it back to basic auditing then again "no auditing" result in command auditpol /get /category:*

Can someone help me on this please?

Thank you

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
2,410 questions
Windows Group Policy
Windows Group Policy
A feature of Windows that enables policy-based administration using Active Directory.
2,013 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 16,666 Reputation points
    2023-03-15T15:50:48.9766667+00:00

    Hello there,

    Have you tried setting this policy on the local GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Force audit policy subcategory settings to override audit policy category settings?

    In a domain-based environment this setting is required to tell Windows to ignore the "legacy" category-based audit settings and instead respect the "Advanced Audit Policy" settings that use subcategories.

    The below thread discusses the same issue and you can try out some troubleshooting steps from this and see if that helps you to sort the Issue.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/03cb345e-baf1-45b7-97e1-b3b7a9ebe119/audit-policy-reset-on-restart?forum=winserverGP

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--