Hello Joe Grover,
Thank you for posting in Q&A forum.
There are two locations we can configure the audit policies:
Security Settings\Local Policies\Audit Policy
Security Settings\Advanced Audit Policy Configuration\System Audit Policies
You have checked the audit policies applying result via the auditpol command:
auditpol /get /category:* >c:\path\filename.txt
If this command results in any audit policies, the advanced audit policy settings are configured.
Because you have configured one advanced audit policy before (Account Management (Security Group Management and User Account Management)), then you need to configure audit account logons and failures via the advanced audit policy.
Please check if you configured audit account logons and failures via Advanced Audit Policy Configuration.
Note:
Once you used the Advanced audit policy in the system, all the legacy audit policy will not be used by this system.
Once you configured any one advanced audit policies, then all legacy audit policies will be overwritten by default.
I hope the information above is helpful.
If you have any questions or concerns, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.