Advanced audit policy settings through script is being reverted after a while

Question

The main goal: Write a script that will set Kerberos authentication ticket audit events to enable.

I have tested this on windows datacenter 2019 and 2022. I created a new virtual machine on Azure
connected to it using bastion and run the command:

auditpol /set /category:"Account Logon" /success:enable /failure:enable in PowerShell

For some reason after a while the changes revert back.
I verified the registry Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy is set to 1 as written to do. also the cfg sets it to 4,1 (the defaults)

This is happening even before I install AD and configure it.
I didn't change the local security group settings and everything is set to undefined regarding the advanced audit policy.

When I use the GUI tools to configure the policies (local\default domain controller) it is automatically persist the changes in a file called
audit.csv
for local security group: c:\Windows\System32\GroupPolicy\Machine\Microsoft\WindowsNT\Audit\audit.csv
so any update to this file is taking affect after "gpupdate /force command"
I used "auditpol /get /category:*" to view the used policy setting.

But this file doesn't exist before you manually change something.

I tried creating the file manually but there are additional changes that are done to the registry when we modify the policy through the GUI (Local security group editor).

I have seen a lot of posts about this issue but none of the above solutions worked.

Thanks
Mirit

Answer 1

Hi @Mirit Sadon

To work around this issue kindly follow the steps provided below.

1. Press Start, search for, and open the Group Policy Management Console, or run the command gpmc.msc.
2. Right-click on the domain or organizational unit (OU) that you want to audit, and click on Create a GPO in this domain, and Link it here.
3. Name the Group Policy Object (GPO) as appropriate.
4. Right-click on the newly created or already existing GPO, and choose Edit.
5. In the Group Policy Management Editor, on the left pane, navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Account Logon.
6. In the right pane, you will see a list of policies that are under Account Logon. Double-click on Audit Kerberos Authentication Service, and check the boxes labeled Configure the following audit events:, Success, and Failure.
7. Perform the same actions for the policy Audit Kerberos Service Ticket Operations.
8. Click on Apply, and then click on OK.
9. Go back to the Group Policy Management Console, and on the left pane, right-click the OU in which the GPO was linked, and click on Group Policy Update. This step ensures that the new Group Policy settings are applied instantly instead of waiting for the next scheduled refresh.

*Steps to view Kerberos authentication events using Event Viewer

Once the above steps are complete, Kerberos authentication events will be stored in the event log. These events can be viewed in the Event Viewer by performing the following actions on the domain controller (DC):

1. Press Start, search for Event Viewer, and click to open it.
2. In the Event Viewer window, on the left pane, navigate to Windows log ⟶ Security.
3. Here, you will find a list of all the Security Events that are logged in the system.
4. On the right pane, under Security, click on Filter Current Log.
5. n the pop-up window, enter the desired Event ID*, as referenced in the table below, in the field labeled <All Event IDs>.
6. Click on OK. This will provide you with a list of occurrences of that Event ID.
7. Double-click on the Event ID to view its Properties.

--
If the Answer is helpful, please click "Accept Answer" and upvote it.