Back in May, I wrote a blog post about how to report on Advanced Audit Policy settings to ensure your environment is set up correctly. I want to expand on this topic just a little to give you more options and go one step deeper.
First, I want to give you another option to view the current Advanced Audit Policy configurations for the computer you’re investigating. Of course, as I showed you in the earlier post, you can use AuditPol.exe. This is a good solution, but often we admins like to get GUI results, not just command line results. As an alternative, you can use the Group Policy Management Console (GPMC) to generate Group Policy Results for the computer in question.
After you open the GPMC, right-click the Group Policy Results node to start the Group Policy Results Wizard. You should enter the computer name that you need the report from as well as a username (if you wish, though you don’t need to include user information in the report).
After you start the query, you will receive information about the current settings. Figure 1 illustrates what you will see with regards to the Advanced Audit Policy, if it is configured. If there are no Advanced Audit Policy settings configured, this node will be missing from the report.
Figure 1. The Group Policy Results node in the GPMC provides details about the currently configured Advanced Audit Policy settings.
Now that you have the report, you can see which Advanced Audit Policy settings are in place, which GPO set them, and what the setting is.
Second, for the Advanced Audit Policy settings to be functional in lieu of the traditional Audit Policy settings, you must change another setting. This setting is also in Group Policy, but not in the same area as the Audit Policy or Advanced Audit Policy settings.
To configure this setting, go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options. There you will see a setting option that says, “Audit: Force Audit Policy subcategory settings (Windows Vista or later) to override Audit Policy category settings.” This setting will need to be set to Enabled for the Advanced Audit Policy settings to engage.
In order to verify that this setting is configured on the computer you are inquiring about, you can use the Group Policy Results node (as shown in Figure 1), the Advanced Audit Policy settings (as shown in Figure 2), or SecPol.msc (as shown in Figure 3).
Figure 2. The Group Policy Results node shows a computer’s security settings.
Figure 3. SecPol.msc shows a computer’s security settings.
Now you have two ways to report on Advanced Audit Policy settings, not to mention the other key security setting that engages the Advanced Audit Policy settings on a computer. With these reports and verifications, you can be sure you have the best auditing in place. In addition, the tracking of changes made to Active Directory, files, and member servers will be exhaustive so that ADAudit Plus can show you reports on what has changed.
You said above that:
There, you will see a setting option that says, “Audit: Force Audit Policy subcategory settings (Windows Vista or later) to override Audit Policy category settings.” This setting will need to be set to “Disabled” in order for the Advanced Audit Policy settings to engage.
But I think you meant to say it must be ENABLED (which is what your screen grabs show).