Ben, Thanks you were definitely on the right track. For the 2008 server systems, we have a GPO that defines Advanced Audit policy, and we also have Audit: Force audit policy subcategory settings to override audit policy category settings to enabled. What I didn't realize is that with this combination in place, the expected behavior of an RSOP is to have those red Xs in the Legacy Audit Policy category.
But for the 2003 systems that are experiencing this, I'm still stumped. Not all 2003 systems are experiencing this, just some. And since they don't have those settings applied, and even if they did, they won't work since they are 2003 systems, I'm not sure what is causing this. I also don't see anything in Winlogon.log for the 2003 systems. In the 2008 systems we found this as an indicator: Legacy audit settings are disabled. Skipped configuration of legacy audit settings. Chris Bodnar, MCSE, MCITP Technical Support III Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: [email protected] Phone: 610-807-6459 Fax: 610-807-6003 From: Ben Scott <[email protected]> To: "NT System Admin Issues" <[email protected]> Date: 10/13/2011 06:03 PM Subject: Re: Issue with Group Policy Audit Policy On Thu, Oct 13, 2011 at 4:53 PM, Christopher Bodnar <[email protected]> wrote: > W2K3 FFL What server OS version and service pack? What client OS version and service pack? > So far I've seen this on every system I've connected to. Have you checked the system to see what it's actually doing for auditing? For example, is it logging Security events for account logons? Right now we have a tool saying policy didn't apply, but are we sure policy *actually* didn't apply? It could be the policy is working fine and the diagnostic is broken. If the client OS is Vista or later, see what the AUDITPOL command-line tool tells you. For example: auditpol /get /category:* I'm not sure how Vista reacts in the case of both AUDITPOL policies and Group Policy audit policies being defined (AUDITPOL is not Group Policy aware). -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
