I was troubleshooting some advance group policy issue, some were getting applied some were not. So I ran auditpol.exe /clear in the problematic machine once. And now the advance audit policies are not getting applied even after I run repeated gpupdates & system reboots. There are no local policies configured I have tried clearing audit.csv from domain GPO, but nothing is working in that machine. GPO updates successfully but advance auditing is not applied. All other polices in that GPO do get applied. Basic auditing is disabled in GPO and it shows as applied in rsop.msc in the problematic machine. How can I enable Advance Auditing back after running clear command. The machine is Windows Server 2019

I got the answer to the problem. Advance Audit policies are only working from Default Domain Policy . If I do the settings on a separate GPO, it is not applying even if I enforce the GPO. Both GPOs are applied on the top domain level, the custom GPO works for other settings but fails for Advance auditing. When the settings are shifted to Default Domain Policy , auditing starts working. This looks like bug which Microsoft may want to look at or is their any specific reason why this happens.

Hi Similar problem but I had probably another issue. Audit.csv located on both paths was corrupted (inside was a lot of spaces) so even gpresult showed advanced audit policies assigned it didn't worked. I have no time to study MS documentation but I suppose system tries to merge domain GPO with local and in this case when this file is corrupted shows No auditing for all audits. To fix it simply overwrite audit.csv files with correct one or even empty (if you want only domain GPO)

Wanted to chime in here as this thread helped point me in the right direction, I've got a 2012R2 DFL domain and was implementing the Advanced Audit Policies on three different OUs. Unlike the OP I was able to get them working without using the Default Domain Policy entirely. However, there does seem to be a switch of some sort which is triggered by configuring them in the Default Domain Policy. It will become more clear with the review of my process: I backed up all 3 Audit Policy GPOs. Per Microsoft's direction, I deleted all audit.csv files from the %SYSVOL% folder on the domain controller. This resets all of the Advanced Audit Policy settings to "Not Configured" in all GPOs. That is explained at the bottom of this URL: https://learn.microsoft.com/en-us/previous-versions/windows/it- pro/windows-server-2008-R2-and-2008/dd408940(v=ws.10)?redirectedfrom=MSDN On your Default Domain GPO, ensure that Local Policies\Security Options\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings is set to Enabled. Configure a single Advanced Audit Policy setting in the Default Domain Policy to Enabled. Just one. This is the "switch" I was referring to. Import the backed up Advanced Audit Policy GPOs into their respective GPOs. Ensure that they are linked to the appropriate OUs. Do a gpupdate /force on any systems in the OUs. You'll now see all of your Advanced Audit Policy GPOs configured as intended and using the individually linked OU policies. (versus the Default Domain Policy) Few things: a. I've not checked to see if I'm then able to unconfigure the single Advanced Audit Policy setting in the Default Domain GPO and still retain functionality. My gut hunch is that it will revert back, and it's too much of a hassle when it's working fine with the single setting configured. b. I believe this may be an issue that Microsoft has resolved, per update or subsequent version, however I've not been able to track that down. I've managed other domains with a 2012R2 DFL and above and I've not had the same issue. In other words, yet another thing to remember about Microsoft AD/GPO administration that seems to depend on unknown circumstances and is not as documented. Yay!!!! Lol -Brent

Advance Audit Policy no longer applying after running auditpol.exe /clear

Akash Kujur 201

I was troubleshooting some advance group policy issue, some were getting applied some were not. So I ran auditpol.exe /clear in the problematic machine once. And now the advance audit policies are not getting applied even after I run repeated gpupdates & system reboots.

There are no local policies configured
I have tried clearing audit.csv from domain GPO, but nothing is working in that machine.
GPO updates successfully but advance auditing is not applied. All other polices in that GPO do get applied.
Basic auditing is disabled in GPO and it shows as applied in rsop.msc in the problematic machine.

How can I enable Advance Auditing back after running clear command.

The machine is Windows Server 2019

Messiah84576 1 Reputation point

2022-05-26T09:02:44.363+00:00

As I did the same mistake. As everything was working fine but I run the advanced police. With that I lost alot of philips remote codes files. Now After that I also run the auto configuration of it but haven't recovered the system. With that I also cleared the extra policy configuration but all in vain. At the end I contacted to their support. The support team is quite humble. They guide me through a proper sequence by deleting some extra file the system start proper working and my lost data get recovered. So contact to the support team for better solution.

Accepted answer

Akash Kujur 201 Reputation points

2020-10-16T10:33:01.197+00:00

I got the answer to the problem. Advance Audit policies are only working from Default Domain Policy. If I do the settings on a separate GPO, it is not applying even if I enforce the GPO. Both GPOs are applied on the top domain level, the custom GPO works for other settings but fails for Advance auditing. When the settings are shifted to Default Domain Policy, auditing starts working.

This looks like bug which Microsoft may want to look at or is their any specific reason why this happens.
Please sign in to rate this answer.

2 people found this answer helpful.

0 comments No comments
Sign in to comment

6 additional answers

Marek Lopi 1 Reputation point

2020-12-17T16:38:50.53+00:00

Hi

Similar problem but I had probably another issue. Audit.csv located on both paths was corrupted (inside was a lot of spaces) so even gpresult showed advanced audit policies assigned it didn't worked. I have no time to study MS documentation but I suppose system tries to merge domain GPO with local and in this case when this file is corrupted shows No auditing for all audits.
To fix it simply overwrite audit.csv files with correct one or even empty (if you want only domain GPO)
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Brenticus 1 Reputation point

2021-08-05T17:05:27.85+00:00
Wanted to chime in here as this thread helped point me in the right direction, I've got a 2012R2 DFL domain and was implementing the Advanced Audit Policies on three different OUs. Unlike the OP I was able to get them working without using the Default Domain Policy entirely. However, there does seem to be a switch of some sort which is triggered by configuring them in the Default Domain Policy. It will become more clear with the review of my process:

I backed up all 3 Audit Policy GPOs.

Per Microsoft's direction, I deleted all audit.csv files from the %SYSVOL% folder on the domain controller. This
resets all of the Advanced Audit Policy settings to "Not Configured" in all GPOs. That is
explained at the bottom of this URL: https://learn.microsoft.com/en-us/previous-versions/windows/it-
pro/windows-server-2008-R2-and-2008/dd408940(v=ws.10)?redirectedfrom=MSDN

On your Default Domain GPO, ensure that Local Policies\Security Options\Audit: Force audit policy subcategory
settings (Windows Vista or later) to override audit policy category settings is set to Enabled.

Configure a single Advanced Audit Policy setting in the Default Domain Policy to Enabled. Just one. This is the "switch" I was referring to.

Import the backed up Advanced Audit Policy GPOs into their respective GPOs. Ensure that they are linked to the
appropriate OUs.

Do a gpupdate /force on any systems in the OUs. You'll now see all of your Advanced Audit Policy GPOs configured as intended and using the individually linked OU policies. (versus the Default Domain Policy)

Few things:
a. I've not checked to see if I'm then able to unconfigure the single Advanced Audit Policy setting in the Default Domain GPO and still retain functionality. My gut hunch is that it will revert back, and it's too much of a hassle when it's working fine with the single setting configured.
b. I believe this may be an issue that Microsoft has resolved, per update or subsequent version, however I've not been able to track that down. I've managed other domains with a 2012R2 DFL and above and I've not had the same issue. In other words, yet another thing to remember about Microsoft AD/GPO administration that seems to depend on unknown circumstances and is not as documented. Yay!!!! Lol

-Brent
Please sign in to rate this answer.
Kevin Kirschler 11 Reputation points

2022-02-03T14:05:40.82+00:00

I know this is old, but I wanted to chime in and thank you for this suggestion. I was having the issue where my advanced audit policies wouldn't apply in their own GPO. I changed the Default Domain policy to enable "Audit: Force audit policy subcategory
settings (Windows Vista or later) to override audit policy category settings" and one advanced logging option, and now my other policy is applying correctly. Thanks again for the idea!

Blane 1 Reputation point

2022-04-13T19:39:52.907+00:00

I did something conceptually similar to Brent, but on a per-machine basis. I found that if you set the audit settings on a sample machine, you can then copy the file in C:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csv to another machine, reboot, and it gets the correct audit settings. This allows you to get the settings you need, without having to monkey around with AD level GPOs, etc. We have BigFix to automate this, but SCCM or KACE would work too.
Sign in to comment