Q: How can I prevent the Granular Audit Policies (GAPs) that I defined on my Windows Server 2008 servers from being overwritten by the audit policies that are defined in my Default Domain GPO?
April 13, 2009
A: Granular Audit Policies (GAPs) are a new feature introduced in Windows Vista and Windows Server 2008. In addition to the nine legacy audit policy categories, Microsoft created subcategories, for a total of 50 different audit policies. You can manage auditing either at the category level (the original nine policies) or at the subcategory level. The Audit Logon Events (Logon/Logoff) category, for example, was split into the following subcategories: Logon, Logoff, Account Lockout, IPsec Main Mode, IPsec Quick Mode, IPsec Extended Mode, Special Logon, Other Logon/Logoff Events, and Network Policy Server. You can't set the new audit subcategories via Group Policy Object (GPO) settings; you must use the Auditpol command line utility. This means you must run the Auditpol command on each computer where you want to define GAPs. Run auditpol /? to find out more about this command.
A side effect of the fact that GAPs can't be set from GPOs is that they're overwritten by legacy audit policy settings that are enforced through GPOs, such as the default domain GPO. If you set a GAP on one of your servers using Auditpol, it will be overwritten as soon as a GPO is enforced on that server. Microsoft provides a registry value, however, that can prevent that the legacy audit policy settings that are distributed via Group Policy from overriding GAP settings. The registry value is SCENoConfigLegacyAuditPolicy and is located in HKLMSystemCurrentControlSetControlLSA. If this registry value is present and set to a non-zero value, the legacy audit policy settings will not be applied if they are set through Group Policy. More information about this registry value is available in a Microsoft Knowledge Base article.
The SCENoConfigLegacyAuditPolicy registry value can also be controlled using the following GPO setting, located in the Security Options GPO container.
Audit: Force audit policy subcategory settings (WindowsVista or later) to override audit policy category settings
If you plan to use GAPs on your Vista and Server 2008 domain-joined machines, it's a best practice to enable the SCENoConfigLegacyAuditPolicy registry value. You should also enforce the GAPs using a recurring scheduled task that runs a batch file that sets the GAPs using Auditpol.
About the Author
You May Also Like