No chance that another gpo is being applied? - Sean
> On Aug 8, 2014, at 6:50 AM, "Heaton, Joseph@Wildlife" > <[email protected]> wrote: > > Yes, pretty much what I’ve been trying to do. But it just doesn’t seem to > want to hold the settings. We only need two sub-categories, so I left the > basic auditing set to Success/Failure, and in the sub-categories, I set just > the two that I need, leaving the rest at No Auditing. But, if I go to a > command prompt and run auditpol.exe /get /category:*, it shows that all the > subcategories are set to Success/Failure. And I’m still getting tons of the > 5156 events in the security log. I even verified that I have the setting > under Local Policies: Security Options: “Audit: Force audit policy > subcategory settings to override audit policy category settings” set to > Enabled. Even if I change the basic to No Auditing, if I close and reopen > the Local Policy, it shows back up. > > I know I forgot to mention it before, but the servers in question are Server > 2012 R2, in case there’s differences. > > > From: [email protected] [mailto:[email protected]] > On Behalf Of Sean Martin > Sent: Thursday, August 07, 2014 9:36 PM > To: [email protected] > Subject: Re: [NTSysADM] Setting auditing in local security policy > > No idea if this is your answer, but I recently had to modify our audit policy > to disable the filtering platform connection sub-category. Under Local > Policy/Audit Policy, I left object access set to success/failure, and then > under advanced audit policy settings/object access, I configured each option > but left the success/failure option unchecked for filtering platform > connection, which set it to no auditing. > > - Sean > > On Aug 7, 2014, at 8:13 PM, "Heaton, Joseph@Wildlife" > <[email protected]> wrote: > > I’m having a horrible time trying to get the right items audited. Started > out with a GP, setting the basic auditing setting of Object Access to > Success, Failure. Unfortunately, this filled my security log with event id > 5156 entries. Did some research, and found these entries were from auditing > of Filtering Platform Connection, which I don’t need audited. Figured out > exactly what I do need audited, which is File Share and Handle Manipulation. > Now, I can’t get these settings to stick. I’ve disabled all settings in the > GPO that set the basic auditing, and on the file servers themselves, I’ve > made sure that the basic Object Access is set to No Auditing, and the > advanced settings are set to Success, Failure. > > On one server, when these are set, I reboot, and the basic setting is back to > Success, Failure, which then enables all the subcategories as well. On the > other server, when I look at Local Security Policy, it looks like things are > correct, but when I go to a command line and use: auditpol.exe /get > /category:*, it shows Object Access set to No Auditing for everything. > > Anyone have any advice? > > Joe Heaton > Enterprise Server Support > Information Technology Operations Branch > Data and Technology Division > CA Department of Fish and Wildlife > 1807 13th Street, Suite 201 > Sacramento, CA 95811 > Desk: (916) 323-1284 >
