Last Update: Sep 24, 2024 | Published: Sep 19, 2013
Newer versions of Windows Server have two different places in policy where auditing can be configured. The basic audit configuration settings that most system administrators will be familiar with are located in Local and Group Policy in the following location: Computer ConfigurationPoliciesSecurity SettingsLocal PoliciesAudit Policies.
New advanced auditing capabilities, introduced in Windows Vista and Server 2008, provide a granular subset of the basic audit settings and can only be configured using the auditpol.exe command-line tool. Microsoft added policy settings in Windows 7 and Server 2008 R2 that allowed administrators to use Local and Group Policy to configure advanced auditing. The new settings are located at Computer ConfigurationPoliciesSecurity SettingsAdvanced Audit Policy ConfigurationAudit Policies.
If you have auditing configured in Local and Group Policy, but are not sure which settings are effective on your machines, you can run auditpol to determine the exact configuration. Don’t rely on Group Policy reporting to give you a clear picture of the actual settings. Only auditpol can read the HKEY_LMSecurityPolicyPolAdtEv registry key that determines the effective audit settings.
auditpol.exe /get /category:*
It’s possible to configure both basic and advanced audit configuration at the same time, but if advanced audit policy is configured, it will always override basic auditing. If you want to change this behavior, you can set Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings to Disabled under Computer ConfigurationPoliciesSecurity SettingsLocal PoliciesSecurity Options, and then clear the audit policy on each affected machine using the following command: auditpol.exe /clear. The lesson here is that before you configure advanced auditing, make sure that you don’t want to go back to using basic auditing, because you cannot clear the configuration using Group Policy.