I was creating some new group policy for some audit settings when things started to work funny. As you might know there are 2 audit settings.
The legacy one:
And the advanced one:
If you enable the advanced one be careful not to forget enabling the “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.” policy.
So after configuring all this auditing should work. But if you play around with it a bit it gets all messed up. You have the legacy settings, advanced settings, group policy settings and local policy settings. Some settings cancle each other out, some overwrite each other…
To check the current applied settings use the GPRESULT /H foo.htm command. You can see what kind of policies were applied in the created document. If everything looks ok but it is still not working as you want it to you have to dig a little bit deeper. Thanks to Ned for his great post btw. As he explains you need to check the applied settings with the auditpol.exe /get /category:* command.
The settings here were all wrong. So I tried to reset them with auditpol /clear but the correct setting still would not apply. No gpupdate /force nor system restart worked. I also deleted all audit.csv files in the domain SYSVOL\***\Policies\ folders to make sure that no old audit settings were applied.
I found out that the correct audit settings were located here firs here %systemroot%\system32\grouppolicy\machine\microsoft\windows nt\audit\audit.csv and which is then copied to here %systemroot%\security\audit\audit.csv
Based on Ned’s info I found out that the applied settings are stored in a registry key HKEY_Local_Machine\Security\Policy\PolAdtEv and were not updated with the current audit.csv file.
In the end I ran “Auditpol /restore /file:C:\Windows\security\audit\audit.csv” and the correct settings were loaded….