Score:0

Server

Windows 2019: Audit policy being overwritten by "something"

Jan kratochvíl

3/10/24, 12:15 PM

I have similar problem as it was described in thread below: Audit policy being overwritten by "something"

unfortunately deletion of audit.csv did not help

let me summarize problem: we are using basic auditing in our env, that means settings below is disabled: Audit: Force audit policy subcategory settings (Windows Vita or later) to override audit policy category settings" - DISABLED (no advanced auditing)

when I run gpedit.msc or secpol.msc to check audit policy it looks "NO AUDITING", I found out, when I restore auditing policy from backed up file then it looks as it should be that means for example value "audit account logon events" - success, failer etc and when I run gpupdate /force then it is switched back to "NO AUDITING". I tried to move this settings to default domain policy, but with no success. I tried also many other things, but currently I have no idea.

Can someone help me on this please?

Thank you

0 + 13

windows

audit

group-policy

Greg Askew

3/10/24, 1:05 PM

Where are the settings defined, and what are the value of the settings there?

Jan kratochvíl

3/10/24, 1:09 PM

Settings are defined in GPO, which is linked to OU where server is sitting. I tried also to move settings to default domain policy, but with no success. When I run gpresult it is visible that the GPO and settings is correctly applied, but when I run gpedit to check it, it looks as"no auditing". I also checked different domain where it looks as it should be, that means, settings is visible in gpedit

Greg Askew

3/10/24, 1:11 PM

What does `gpresult /h file.html` show?

Jan kratochvíl

3/10/24, 1:19 PM

I do not how to put screen shot, but it looks auditing is set up: example "audit account logon events" - success, failure

Greg Askew

3/10/24, 1:21 PM

I would use gpresult. It should be fairly easy to test the audit setting that you need. Is the system *not* auditing any account logons? If it is, I don't see a problem.

Jan kratochvíl

3/10/24, 1:24 PM

well HC is set up it reads data from local policy. It should be automatically propagated to local policy (gpedit). The reason is if there are some local policy and different domain policy it takes both together.

Jan kratochvíl

3/10/24, 1:24 PM

strange is it works in my different domain, so there has to be something wrong

Greg Askew

3/10/24, 1:28 PM

If auditing is working, perhaps you should clarify the question so that you can use the Local Policy Editor to view Group Policy Settings. That seems to be what you want.

Jan kratochvíl

3/10/24, 1:29 PM

ok I will check if it is auditing and will come back Thanks

Jan kratochvíl

3/10/24, 1:38 PM

anyway I will need to fix this problem no matter it is auditing or not

Jan kratochvíl

3/10/24, 2:08 PM

I found event 4624 - Audit logon events, that means it is auditing, but I need to fix this problem, because HC presents this as violations: gpedit (local policy) => Audit logon events - no auditing

Jan kratochvíl

3/13/24, 9:00 AM

Hello, good morning, can we start on this topic again please?

Jan kratochvíl

3/14/24, 2:14 PM

update: I have found there are records in event log related to audit policy change. First it is added by group policy object (it is as it should be) and then there are another recoreds in event log 4719 audting removed. Really do not know why, but at least I know it is removed by system account...

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Windows 2019: Audit policy being overwritten by "something"

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.