Getting Effective Audit Policy Settings in Windows Server 2012
How can I get the effective audit policy settings in Windows Server 2012?
Newer versions of Windows Server have two different places in policy where auditing can be configured. The basic audit configuration settings that most system administrators will be familiar with are located in Local and Group Policy in the following location: Computer Configuration\Policies\Security Settings\Local Policies\Audit Policies.
New advanced auditing capabilities, introduced in Windows Vista and Server 2008, provide a granular subset of the basic audit settings and can only be configured using the auditpol.exe command-line tool. Microsoft added policy settings in Windows 7 and Server 2008 R2 that allowed administrators to use Local and Group Policy to configure advanced auditing. The new settings are located at Computer Configuration\Policies\Security Settings\Advanced Audit Policy Configuration\Audit Policies.
Determine Effective Auditing Policy
If you have auditing configured in Local and Group Policy, but are not sure which settings are effective on your machines, you can run auditpol to determine the exact configuration. Don’t rely on Group Policy reporting to give you a clear picture of the actual settings. Only auditpol can read the HKEY_LM\Security\Policy\PolAdtEv registry key that determines the effective audit settings.
auditpol.exe /get /category:*
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
Disable Advanced Auditing
It’s possible to configure both basic and advanced audit configuration at the same time, but if advanced audit policy is configured, it will always override basic auditing. If you want to change this behavior, you can set Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings to Disabled under Computer Configuration\Policies\Security Settings\Local Policies\Security Options, and then clear the audit policy on each affected machine using the following command: auditpol.exe /clear. The lesson here is that before you configure advanced auditing, make sure that you don’t want to go back to using basic auditing, because you cannot clear the configuration using Group Policy.