Score:0

Server

No events after Audit Detailed Directory Service Replication GPO applied to DC

MYGMYGMYG

7/28/24, 12:42 PM

I have created GPO for Audit Detailed Directory Service Replication and applied to DCs. But no events in log, like: 4928(S, F): An Active Directory replica source naming context was established.

4929(S, F): An Active Directory replica source naming context was removed. Domain - ordinary domain withou Azure.

Thank you for any help.

Created GPO and checked it applied to DC.

UPDATE I see in auditpol:

DS Access

Directory Service Access Success and Failure
Directory Service Changes Success and Failure
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing

1 + 3

active-directory

azure-active-directory

Greg Askew

7/28/24, 6:21 PM

`checked it applied to DC`. What does auditpol show?

MYGMYGMYG

8/8/24, 2:45 PM

I see in auditpol now: DS Access Directory Service Access Success and Failure Directory Service Changes Success and Failure Directory Service Replication No Auditing Detailed Directory Service Replication No Auditing

Greg Askew

8/8/24, 4:23 PM

And the object(s) that you want to audit, what objects did you configure and what settings did you configure?

Score:0

Server

Jan

8/9/24, 8:08 AM

Domain-based (gpmc.msc) audit settings are stored in an audit.csv file in SYSVOL in the corresponding GPO folder

{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\Machine\Microsoft\Windows NT\Audit\audit.csv

This .csv file is then copied to below location (upon gpupdate /force), which applies the audit settings to the machine

%systemroot%\security\audit\audit.csv

Important: Advanced Auditing will not work at all if the "Default Domain Policy" is missing its audit.csv file in the SYSVOL folder

{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\Audit

Even policies set locally via secpol.msc won't work!

To restore the audit.csv file, simply edit the Default Domain Policy and set any advanced audit setting. This recreates the audit.csv file in the SYSVOL path and you can immediately revert the change to the Default Domain Policy.

Further information

The Security Setting Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings does not have to set by GPO since its enabled by default in secpol.msc on a clean OS.

auditpol /clear

You can clear all configured options on a computer via this command. This does not remove the audit.csv file from C:\Windows\security\audit but auditing will be disabled, which you can check with auditpol /get /category:*

Upon next gpupdate /force (in case of a domain-based policy), auditing will be turned back on

Locations

Local Security Policy (gpedit.msc)

stores its audit settings in

%systemroot%\system32\grouppolicy\machine\microsoft\windows nt\audit\audit.csv

this .csv file is then copied to below location (upon reboot or every 16 hours), which applies the audit settings to the machine

%systemroot%\security\audit\audit.csv

Domain-based (gpmc.msc)

audit settings are stored in an audit.csv file in SYSVOL in the corresponding GPO folder

{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\Machine\Microsoft\Windows NT\Audit\audit.csv

this .csv file is then copied to below location (upon gpupdate /force), which applies the audit settings to the machine

%systemroot%\security\audit\audit.csv

+ 12

MYGMYGMYG

8/11/24, 11:10 AM

David, thank you. I have done auditpol /clear and no audit policies applied now to DC. Then I have look to {31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\Audit and no audit file inside this directory. I have modified Advanced audit policy in Default Domain policy and this file created in {31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\Audit. But after gpupdate /force no audit settings applied to DC! :( But my custom audit policy has a audit.csv file with all my settings, But they not applied..

Jan

8/11/24, 11:51 AM

auditpol /get /category:* -> what does it show? GPO scoped to correct OU, is the GPO applied according to gpresult? Are there conflicting audit settings in other GPOs?

MYGMYGMYG

8/11/24, 12:19 PM

after auditpol /clear run I see NO parameters applied in auditpol /get /category:* even after gpupdate /force on DC. The GPO with audit parameters applied in gpresult /R command output

MYGMYGMYG

8/11/24, 12:25 PM

additionally I see that in Default Domain policy there is Audit account logon events Success, Failure configured. There are no Advanced parameters of audit configured in Default domain policy, the configured only in my custom GPO applied to dcs. Also udit: Force audit policy subcategory settings (Windows Vista or later) activated in my audit gpo

MYGMYGMYG

8/11/24, 12:43 PM

after apply Audit: Force audit policy subcategory settings (Windows Vista or later) to disabled and gpupdate /force I see only DS Access audit applied ot DC now... but other parameters are not applied...

Jan

8/11/24, 12:51 PM

Edited some info about different cache locations which you can clear out and report back if that changes anything

MYGMYGMYG

8/11/24, 12:53 PM

after change Audit: Force audit policy subcategory settings (Windows Vista or later) to Enabled and gpupdate /force there are no changes - only DS Access audit shows

Jan

8/11/24, 12:56 PM

Also check out the tools rsop.msc and secpol.msc on the DC itself to see if anything weird is showing there

MYGMYGMYG

8/11/24, 12:58 PM

File %systemroot%\system32\grouppolicy\machine\microsoft\windows nt\audit\audit.csv - is EMPTY; File %systemroot%\security\audit\audit.csv has 55 lines with my parameters

MYGMYGMYG

8/11/24, 1:03 PM

{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}\Machine\Microsoft\Windows NT\Audit\audit.csv file is the same as %systemroot%\security\audit\audit.csv - 55 lines but date of modified 24.07.2023 in spite of I have edited parameters today

MYGMYGMYG

8/11/24, 1:39 PM

red cross in Audit Directory service access (failure,access) and in Audit account logon access. "The policy engine did not attempt to configure the setting"

Jan

8/11/24, 1:55 PM

related: https://learn.microsoft.com/en-us/answers/questions/293317/domain-controller-group-policy-has-red-x-on-audit

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: No events after Audit Detailed Directory Service Replication GPO applied to DC

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.