It really seems like you have a GPO that is setting these for you somewhere.
*ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> *Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market...* On Fri, Aug 8, 2014 at 12:10 PM, Heaton, Joseph@Wildlife < [email protected]> wrote: > No, I just did a modeling, with the account I'm logging into the server > with, and there are no auditing settings at all being applied through GPO > to that box for me. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Sean Martin > *Sent:* Friday, August 08, 2014 7:55 AM > > *To:* [email protected] > *Subject:* Re: [NTSysADM] Setting auditing in local security policy > > > > No chance that another gpo is being applied? > > - Sean > > > On Aug 8, 2014, at 6:50 AM, "Heaton, Joseph@Wildlife" < > [email protected]> wrote: > > Yes, pretty much what I've been trying to do. But it just doesn't seem > to want to hold the settings. We only need two sub-categories, so I left > the basic auditing set to Success/Failure, and in the sub-categories, I set > just the two that I need, leaving the rest at No Auditing. But, if I go to > a command prompt and run auditpol.exe /get /category:*, it shows that all > the subcategories are set to Success/Failure. And I'm still getting tons > of the 5156 events in the security log. I even verified that I have the > setting under Local Policies: Security Options: "Audit: Force audit policy > subcategory settings to override audit policy category settings" set to > Enabled. Even if I change the basic to No Auditing, if I close and reopen > the Local Policy, it shows back up. > > > > I know I forgot to mention it before, but the servers in question are > Server 2012 R2, in case there's differences. > > > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Sean Martin > *Sent:* Thursday, August 07, 2014 9:36 PM > *To:* [email protected] > *Subject:* Re: [NTSysADM] Setting auditing in local security policy > > > > No idea if this is your answer, but I recently had to modify our audit > policy to disable the filtering platform connection sub-category. Under > Local Policy/Audit Policy, I left object access set to success/failure, and > then under advanced audit policy settings/object access, I configured each > option but left the success/failure option unchecked for filtering platform > connection, which set it to no auditing. > > - Sean > > > On Aug 7, 2014, at 8:13 PM, "Heaton, Joseph@Wildlife" < > [email protected]> wrote: > > I'm having a horrible time trying to get the right items audited. > Started out with a GP, setting the basic auditing setting of Object Access > to Success, Failure. Unfortunately, this filled my security log with event > id 5156 entries. Did some research, and found these entries were from > auditing of Filtering Platform Connection, which I don't need audited. > Figured out exactly what I do need audited, which is File Share and Handle > Manipulation. Now, I can't get these settings to stick. I've disabled all > settings in the GPO that set the basic auditing, and on the file servers > themselves, I've made sure that the basic Object Access is set to No > Auditing, and the advanced settings are set to Success, Failure. > > > > On one server, when these are set, I reboot, and the basic setting is back > to Success, Failure, which then enables all the subcategories as well. On > the other server, when I look at Local Security Policy, it looks like > things are correct, but when I go to a command line and use: *auditpol.exe > /get /category:*, **it shows Object Access set to No Auditing for > everything.* > > > > *Anyone have any advice?* > > > > Joe Heaton > > Enterprise Server Support > > Information Technology Operations Branch > > Data and Technology Division > > CA Department of Fish and Wildlife > > 1807 13th Street, Suite 201 > > Sacramento, CA 95811 > > Desk: (916) 323-1284 > > > >
