If like me, you are trying to enable Audit Policies on Windows computers in a domain using Local Policies
> Audit Policy
, and it does not work, then you came to the right place.
Legacy Audit Policy: audit object access settings in Local Security Policy
The reason is: that is the legacy way to configure Audit Policies. Like Windows XP legacy.
You will find plenty of resources out there telling you this is because Advanced Audit Policy
is enabled and you need to disable it by setting Local Policies
> Security Options
> Audit: Force audit policy subcategory settings to override audit policy category settings
to Disabled
to make it work. While it is true that disabling the Advanced Audit Policy will make it work, it will revert to the old, non-granular way of configuring Audit Policies.
You are now supposed to use Advanced Audit Policy Configuration
. And by now, I mean since Vista.
Instead of setting Audit Object Access
to Success
and/or Failure
, you can now granularly enable which object type you want to audit: file shares, file system, registry, …
In your GPO or Local Security Policy, scroll down at the bottom of the list and you will see a dedicated folder called Advanced Audit Policy Configuration
with many categories, and in each of them, many settings you can now control independently.
Advanced Audit Policy: items in the Object Access category
Now if you apply it using gpupdate /force
and you check it using auditpol /get /category:*
, you should see a change in the individual items.
As a reminder, you can check which GPO is applying what setting using gpresult /h report.html
. You need to be an Administrator
to view the Computer configuration.