Getting Effective Audit Policy Settings in Windows Server 2012

Posted on September 19, 2013 by Russell Smith in Windows Server 2012 with

How can I get the effective audit policy settings in Windows Server 2012?

Newer versions of Windows Server have two different places in policy where auditing can be configured. The basic audit configuration settings that most system administrators will be familiar with are located in Local and Group Policy in the following location: Computer Configuration\Policies\Security Settings\Local Policies\Audit Policies.

New advanced auditing capabilities, introduced in Windows Vista and Server 2008, provide a granular subset of the basic audit settings and can only be configured using the auditpol.exe command-line tool. Microsoft added policy settings in Windows 7 and Server 2008 R2 that allowed administrators to use Local and Group Policy to configure advanced auditing. The new settings are located at Computer Configuration\Policies\Security Settings\Advanced Audit Policy Configuration\Audit Policies.

Determine Effective Auditing Policy

If you have auditing configured in Local and Group Policy, but are not sure which settings are effective on your machines, you can run auditpol to determine the exact configuration. Don’t rely on Group Policy reporting to give you a clear picture of the actual settings. Only auditpol can read the HKEY_LM\Security\Policy\PolAdtEv registry key that determines the effective audit settings.

auditpol.exe /get /category:*

Use auditpol to get effective audit policy settings

Disable Advanced Auditing

It’s possible to configure both basic and advanced audit configuration at the same time, but if advanced audit policy is configured, it will always override basic auditing. If you want to change this behavior, you can set Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings to Disabled under Computer Configuration\Policies\Security Settings\Local Policies\Security Options, and then clear the audit policy on each affected machine using the following command: auditpol.exe /clear. The lesson here is that before you configure advanced auditing, make sure that you don’t want to go back to using basic auditing, because you cannot clear the configuration using Group Policy.

Tagged with ,

Register for this Webinar