Applying Audit Policies

If like me, you are trying to enable Audit Policies on Windows computers in a domain using Local Policies > Audit Policy, and it does not work, then you came to the right place.

Legacy Audit Policy: audit object access settings in Local Security Policy

The reason is: that is the legacy way to configure Audit Policies. Like Windows XP legacy.

You will find plenty of resources out there telling you this is because Advanced Audit Policy is enabled and you need to disable it by setting Local Policies > Security Options > Audit: Force audit policy subcategory settings to override audit policy category settings to Disabled to make it work. While it is true that disabling the Advanced Audit Policy will make it work, it will revert to the old, non-granular way of configuring Audit Policies.

You are now supposed to use Advanced Audit Policy Configuration. And by now, I mean since Vista.

Instead of setting Audit Object Access to Success and/or Failure, you can now granularly enable which object type you want to audit: file shares, file system, registry, …

In your GPO or Local Security Policy, scroll down at the bottom of the list and you will see a dedicated folder called Advanced Audit Policy Configuration with many categories, and in each of them, many settings you can now control independently.

Advanced Audit Policy: items in the Object Access category

Now if you apply it using gpupdate /force and you check it using auditpol /get /category:* , you should see a change in the individual items.

As a reminder, you can check which GPO is applying what setting using gpresult /h report.html . You need to be an Administrator to view the Computer configuration.

This entry was posted in Computer, Microsoft and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.