Wanted to chime in here as this thread helped point me in the right direction, I've got a 2012R2 DFL domain and was implementing the Advanced Audit Policies on three different OUs. Unlike the OP I was able to get them working without using the Default Domain Policy entirely. However, there does seem to be a switch of some sort which is triggered by configuring them in the Default Domain Policy. It will become more clear with the review of my process:
- I backed up all 3 Audit Policy GPOs.
- Per Microsoft's direction, I deleted all audit.csv files from the %SYSVOL% folder on the domain controller. This
resets all of the Advanced Audit Policy settings to "Not Configured" in all GPOs. That is
explained at the bottom of this URL: https://learn.microsoft.com/en-us/previous-versions/windows/it-
pro/windows-server-2008-R2-and-2008/dd408940(v=ws.10)?redirectedfrom=MSDN
- On your Default Domain GPO, ensure that Local Policies\Security Options\Audit: Force audit policy subcategory
settings (Windows Vista or later) to override audit policy category settings is set to Enabled.
- Configure a single Advanced Audit Policy setting in the Default Domain Policy to Enabled. Just one. This is the "switch" I was referring to.
- Import the backed up Advanced Audit Policy GPOs into their respective GPOs. Ensure that they are linked to the
appropriate OUs.
- Do a gpupdate /force on any systems in the OUs. You'll now see all of your Advanced Audit Policy GPOs configured as intended and using the individually linked OU policies. (versus the Default Domain Policy)
Few things:
a. I've not checked to see if I'm then able to unconfigure the single Advanced Audit Policy setting in the Default Domain GPO and still retain functionality. My gut hunch is that it will revert back, and it's too much of a hassle when it's working fine with the single setting configured.
b. I believe this may be an issue that Microsoft has resolved, per update or subsequent version, however I've not been able to track that down. I've managed other domains with a 2012R2 DFL and above and I've not had the same issue. In other words, yet another thing to remember about Microsoft AD/GPO administration that seems to depend on unknown circumstances and is not as documented. Yay!!!! Lol
-Brent