question

AkashKujur-8461 avatar image
0 Votes"
AkashKujur-8461 asked ClausBruun-4500 edited

Advance Audit Policy no longer applying after running auditpol.exe /clear

I was troubleshooting some advance group policy issue, some were getting applied some were not. So I ran auditpol.exe /clear in the problematic machine once. And now the advance audit policies are not getting applied even after I run repeated gpupdates & system reboots.

  • There are no local policies configured

  • I have tried clearing audit.csv from domain GPO, but nothing is working in that machine.

  • GPO updates successfully but advance auditing is not applied. All other polices in that GPO do get applied.

  • Basic auditing is disabled in GPO and it shows as applied in rsop.msc in the problematic machine.

How can I enable Advance Auditing back after running clear command.

The machine is Windows Server 2019

windows-group-policy
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

As I did the same mistake. As everything was working fine but I run the advanced police. With that I lost alot of philips remote codes files. Now After that I also run the auto configuration of it but haven't recovered the system. With that I also cleared the extra policy configuration but all in vain. At the end I contacted to their support. The support team is quite humble. They guide me through a proper sequence by deleting some extra file the system start proper working and my lost data get recovered. So contact to the support team for better solution.


0 Votes 0 ·
AkashKujur-8461 avatar image
0 Votes"
AkashKujur-8461 answered

I got the answer to the problem. Advance Audit policies are only working from Default Domain Policy. If I do the settings on a separate GPO, it is not applying even if I enforce the GPO. Both GPOs are applied on the top domain level, the custom GPO works for other settings but fails for Advance auditing. When the settings are shifted to Default Domain Policy, auditing starts working.

This looks like bug which Microsoft may want to look at or is their any specific reason why this happens.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered AkashKujur-8461 commented

Hello,

Thank you so much for posting here.

According to our description, we have configured the Advanced Audit policies, and some got applied while some were not. That is to say, there is nothing wrong with the configuration since some got applied. We are wondering whether this GPO is only not applied on the Windows server 2019 machine?

Besides, we mentioned that all other policies in that GPO do get applied. So in the same GPO, there are other policies except the advanced audit policies.

Once we used the Advanced audit policy in the system, the legacy audit policy will not be used by this system. So as mentioned, legacy audit policy is disabled.

Generally we can check if the GPOs are applied via the gpresult. But it is not suitable and accurate to the audit policies. We check the audit policies applying result via the auditpol command:

auditpol /get /category:*

After running the command auditpol.exe /clear, the audit polices will clear. Then we could run gpupdate /force and then the audit policies will come back. For example:

31798-11.png

31799-12.png

31800-13.png

For any question, please feel free to contact us.

Best regards,
Hannah Xiong



11.png (32.3 KiB)
12.png (59.4 KiB)
13.png (37.2 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yea, I have tried that multiple times but it is not coming back.
Below is the result after running auditpol /clear

32217-image.png


This is the Group Policy setting from rsop.msc

32146-image.png

I have tried the above steps multiple times but its not working in that server.

For GPO permissions under Security Filtering, I have only put a group with Computer Objects (Servers only) and removed Authenticated Users. This is because keeping Authenticated Users was making the policy apply to client Windows 10 machines, so I had to remove them.

0 Votes 0 ·
image.png (31.3 KiB)
image.png (11.6 KiB)
HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered ClausBruun-4500 edited

Hello,

Thank you so much for posting here.

If we use Advanced Audit Policy Configuration settings, we should enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored. So we have applied this policy and this policy is successfully applied.

The Advanced audit policies are not applied. Would you please kindly run the below command to get the policies report to check whether the specific settings are applied or not? Also please let us know if there is any error messages.

gpresult /h C:\report.html

For example, I configured the advanced audit policies and Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy in the same GPO.

32292-111.png
32273-112.png

Then check the gpresult report, the settings are applied as shown below.

32262-113.png
32219-114.png

According to our description, we deployed Security Filtering. We could add the group (which you want to apply the policy) with Read and Apply permission.

For Security Filtering, this Group Policy now applies to only computers that are a member of the security group. However we still need to remember that the computer should be part of the site/domain/OU to which this Group Policy Object is linked. We could kindly have a check about this.

For any question, please feel free to contact us.

Best regards,
Hannah Xiong

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



112.png (27.5 KiB)
113.png (23.6 KiB)
114.png (39.8 KiB)
111.png (25.1 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the explanation - helped a lot.

However I'm still puzzled on where auditpol /set is persisted and where it comes into play in combination with local or domain advanced audit settings.

My experiments tell me that auditpol /set values are ignored when a local policy exists.
Also domain GPO's are only applied if the local machine already have a local policy and an Audit.csv in C:\WINDOWS\system32\GroupPolicy\Machine\Microsoft\Windows NT\Audit

Can you or someone elaborate ?

Thanks
Claus

0 Votes 0 ·
HannahXiong-MSFT avatar image
0 Votes"
HannahXiong-MSFT answered

Hello,

Thank you so much for your feedback.

So glad to hear that the advanced audit settings started working when they were shifted to Default Domain Policy. If we did the settings on a separate GPO, it would still be applied. Below is my test, and we could kindly have a check.

1, Created the OU (such as OU for computers) and added the computers into this OU.

33469-11.png

2, Created a GPO and linked to the above OU (The GPO was named Advanced audit policy).

33388-12.png

3, Edited the GPO and configured the settings, such as Audit Credential Validation set to Success and Failure, Audit Security System Extension set to success.

33494-13.png

4, Logged on to the computer and refresh the group policy via command gpupdate /force.

5, Checked the gpresult that the GPO was applied successfully.

33439-16.png

6, Then check the audit policy via command auditpol /get /category:* and we could see that the settings were applied.

33408-14.png
33504-15.png

7, Last check the Event Viewer, and we could see that some events were logged.

33514-17.png

Hope the information is helpful. Thank you so much for your time.

Best regards,
Hannah Xiong



11.png (38.9 KiB)
12.png (44.0 KiB)
13.png (60.8 KiB)
16.png (34.5 KiB)
14.png (49.9 KiB)
15.png (118.2 KiB)
17.png (79.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarekLopi-5074 avatar image
0 Votes"
MarekLopi-5074 answered

Hi

Similar problem but I had probably another issue. Audit.csv located on both paths was corrupted (inside was a lot of spaces) so even gpresult showed advanced audit policies assigned it didn't worked. I have no time to study MS documentation but I suppose system tries to merge domain GPO with local and in this case when this file is corrupted shows No auditing for all audits.
To fix it simply overwrite audit.csv files with correct one or even empty (if you want only domain GPO)

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Brenticus-4216 avatar image
0 Votes"
Brenticus-4216 answered Blane-9688 commented

Wanted to chime in here as this thread helped point me in the right direction, I've got a 2012R2 DFL domain and was implementing the Advanced Audit Policies on three different OUs. Unlike the OP I was able to get them working without using the Default Domain Policy entirely. However, there does seem to be a switch of some sort which is triggered by configuring them in the Default Domain Policy. It will become more clear with the review of my process:

  1. I backed up all 3 Audit Policy GPOs.

  2. Per Microsoft's direction, I deleted all audit.csv files from the %SYSVOL% folder on the domain controller. This
    resets all of the Advanced Audit Policy settings to "Not Configured" in all GPOs. That is
    explained at the bottom of this URL: https://docs.microsoft.com/en-us/previous-versions/windows/it-
    pro/windows-server-2008-R2-and-2008/dd408940(v=ws.10)?redirectedfrom=MSDN

  3. On your Default Domain GPO, ensure that Local Policies\Security Options\Audit: Force audit policy subcategory
    settings (Windows Vista or later) to override audit policy category settings is set to Enabled.

  4. Configure a single Advanced Audit Policy setting in the Default Domain Policy to Enabled. Just one. This is the "switch" I was referring to.

  5. Import the backed up Advanced Audit Policy GPOs into their respective GPOs. Ensure that they are linked to the
    appropriate OUs.

  6. Do a gpupdate /force on any systems in the OUs. You'll now see all of your Advanced Audit Policy GPOs configured as intended and using the individually linked OU policies. (versus the Default Domain Policy)

Few things:
a. I've not checked to see if I'm then able to unconfigure the single Advanced Audit Policy setting in the Default Domain GPO and still retain functionality. My gut hunch is that it will revert back, and it's too much of a hassle when it's working fine with the single setting configured.
b. I believe this may be an issue that Microsoft has resolved, per update or subsequent version, however I've not been able to track that down. I've managed other domains with a 2012R2 DFL and above and I've not had the same issue. In other words, yet another thing to remember about Microsoft AD/GPO administration that seems to depend on unknown circumstances and is not as documented. Yay!!!! Lol

-Brent



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I know this is old, but I wanted to chime in and thank you for this suggestion. I was having the issue where my advanced audit policies wouldn't apply in their own GPO. I changed the Default Domain policy to enable "Audit: Force audit policy subcategory
settings (Windows Vista or later) to override audit policy category settings" and one advanced logging option, and now my other policy is applying correctly. Thanks again for the idea!

2 Votes 2 ·
Blane-9688 avatar image Blane-9688 KevinKirschler-1115 ·

I did something conceptually similar to Brent, but on a per-machine basis. I found that if you set the audit settings on a sample machine, you can then copy the file in C:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csv to another machine, reboot, and it gets the correct audit settings. This allows you to get the settings you need, without having to monkey around with AD level GPOs, etc. We have BigFix to automate this, but SCCM or KACE would work too.

0 Votes 0 ·
DavidTrevor-6879 avatar image
2 Votes"
DavidTrevor-6879 answered Uzhirian-7069 commented

Advanced Auditing will not work at all if the "Default Domain Policy" is missing its audit.csv file in the SYSVOL folder
{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\Audit

Even policies set locally via secpol.msc won't work!


To restore the audit.csv file, simply edit the "Default Domain Policy" and set any advanced audit setting. This recreates the audit.csv file in the SYSVOL path and you can immediately revert the change to the "Default Domain Policy".

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Absolutely this. Thanks for dropping that info here, I was getting ready to murder something, so you saved an innocent life haha.

To resolve, here's the full process I used (DavidTrevor's answer + extra steps):
issue: Custom GPO wasnt showing advanced audit settings or working when GPO applied to device.
Solution:
1. I added and then removed an Advanced audit to the default domain GPO
2. Confirmed the audit.csv was present now in the default domain GPO in sysvol
3. As my custom policy still wasnt showing settings or working on test device, I edited the GPO again, turning off and then on one advanced audit option
4. On refresh, the GPO showed all the advanced settings now
5. On test device, "gpupdate /force" and then then "auditpol /get /category:*" to confirm policy applied.

1 Vote 1 ·

That explains it David. Thanks for passing that on.

-Brent (formerly Brenticus-4216)

0 Votes 0 ·