Windows Server 2012

Getting Effective Audit Policy Settings in Windows Server 2012

How can I get the effective audit policy settings in Windows Server 2012?

Newer versions of Windows Server have two different places in policy where auditing can be configured. The basic audit configuration settings that most system administrators will be familiar with are located in Local and Group Policy in the following location: Computer Configuration\Policies\Security Settings\Local Policies\Audit Policies.

New advanced auditing capabilities, introduced in Windows Vista and Server 2008, provide a granular subset of the basic audit settings and can only be configured using the auditpol.exe command-line tool. Microsoft added policy settings in Windows 7 and Server 2008 R2 that allowed administrators to use Local and Group Policy to configure advanced auditing. The new settings are located at Computer Configuration\Policies\Security Settings\Advanced Audit Policy Configuration\Audit Policies.

Determine Effective Auditing Policy

If you have auditing configured in Local and Group Policy, but are not sure which settings are effective on your machines, you can run auditpol to determine the exact configuration. Don’t rely on Group Policy reporting to give you a clear picture of the actual settings. Only auditpol can read the HKEY_LM\Security\Policy\PolAdtEv registry key that determines the effective audit settings.

auditpol.exe /get /category:*

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

Use auditpol to get effective audit policy settings

Disable Advanced Auditing

It’s possible to configure both basic and advanced audit configuration at the same time, but if advanced audit policy is configured, it will always override basic auditing. If you want to change this behavior, you can set Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings to Disabled under Computer Configuration\Policies\Security Settings\Local Policies\Security Options, and then clear the audit policy on each affected machine using the following command: auditpol.exe /clear. The lesson here is that before you configure advanced auditing, make sure that you don’t want to go back to using basic auditing, because you cannot clear the configuration using Group Policy.

Related Topics:

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Download this eBook!

External Sharing and Guest User Access in Microsoft 365 and Teams

his eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure. The eBook will also outline some of the major decision points across four general-purpose guest access policy scenarios for how an organization can set this up with standard licensing.

Download Now

Sponsored By