I have a Server 2008 R2 machine that is receiving it's Advanced Audit Policy settings from a GPO. Not all of the settings are being applied. Most apply correctly, but there are some items that do not. I tried setting the *missing* items using Local Policy, and they still did not show up. If I use auditpol /set... it works. Why would certain settings not be applied via GPO? I have tried with the Security Option "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" set to enabled and disabled. If I have this setting set to enabled and clear the audit policy (auditpol /clear), the policy settings from the GPO do not apply AT ALL even though they are Advanced settings. I have to set the policy setting to disabled, then run gpupdate to get the policy settings to reapply.
Missing Settings
Process Creation - Success
Audit Policy Change - Failure
Sensitive Privilege Use - Success
IPsec Driver - Failure
Security State Change - Failure
Security System Extension - Failure
System Integrity - Failure
Advanced Audit Settings from GPO
Account Logon
Audit Credential Validation Success, Failure
Account Management
Audit Computer Account Management Success, Failure
Audit Other Account Management Events Success, Failure
Audit Security Group Management Success, Failure
Audit User Account Management Success, Failure
Detailed Tracking
Audit Process Creation Success
Logon/Logoff
Audit Logoff Success
Audit Logon Success, Failure
Audit Special Logon Success
Object Access
Audit File System Failure
Audit Handle Manipulation Failure
Audit Registry Failure
Policy Change
Audit Audit Policy Change Success, Failure
Audit Authentication Policy Change Success
Privilege Use
Audit Sensitive Privilege Use Success, Failure
System
Audit IPsec Driver Success, Failure
Audit Security State Change Success, Failure
Audit Security System Extension Success, Failure
Audit System Integrity Success, Failure
Global Object Access Auditing : File
Failure Everyone Full Control
Global Object Access Auditing : Registry
Failure Everyone Full control
Result of auditpol /get /category:*
System audit policy
Category/Subcategory Setting
System
Security System Extension Success
System Integrity Success
IPsec Driver Success
Other System Events Success
Security State Change Success
Logon/Logoff
Logon Success and Failure
Logoff Success and Failure
Account Lockout Success and Failure
IPsec Main Mode Success and Failure
IPsec Quick Mode Success and Failure
IPsec Extended Mode Success and Failure
Special Logon Success and Failure
Other Logon/Logoff Events Success and Failure
Network Policy Server Success and Failure
Object Access
File System Failure
Registry Failure
Kernel Object Failure
SAM Failure
Certification Services Failure
Application Generated Failure
Handle Manipulation Failure
File Share Failure
Filtering Platform Packet Drop Failure
Filtering Platform Connection Failure
Other Object Access Events Failure
Detailed File Share Failure
Privilege Use
Sensitive Privilege Use Failure
Non Sensitive Privilege Use Failure
Other Privilege Use Events Failure
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change Success
Authentication Policy Change Success
Authorization Policy Change Success
MPSSVC Rule-Level Policy Change Success
Filtering Platform Policy Change Success
Other Policy Change Events Success
Account Management
User Account Management Success and Failure
Computer Account Management Success and Failure
Security Group Management Success and Failure
Distribution Group Management Success and Failure
Application Group Management Success and Failure
Other Account Management Events Success and Failure
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations Success and Failure
Other Account Logon Events Success and Failure
Kerberos Authentication Service Success and Failure
Credential Validation Success and Failure
Content of C:\Windows\Security\audit\audit.csv
Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value
,System,Audit Credential Validation,{0cce923f-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Computer Account Management,{0cce9236-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Other Account Management Events,{0cce923a-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Security Group Management,{0cce9237-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit User Account Management,{0cce9235-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Process Creation,{0cce922b-69ae-11d9-bed3-505054503030},Success,,1
,System,Audit Logoff,{0cce9216-69ae-11d9-bed3-505054503030},Success,,1
,System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Special Logon,{0cce921b-69ae-11d9-bed3-505054503030},Success,,1
,System,Audit File System,{0cce921d-69ae-11d9-bed3-505054503030},Failure,,2
,System,Audit Handle Manipulation,{0cce9223-69ae-11d9-bed3-505054503030},Failure,,2
,System,Audit Registry,{0cce921e-69ae-11d9-bed3-505054503030},Failure,,2
,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success,,1
,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit IPsec Driver,{0cce9213-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success and Failure,,3
,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3
,,FileGlobalSacl,,,,S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
,,RegistryGlobalSacl,,,,S:(AU;FA;KA;;;WD)
,System,Audit Credential Validation,,Success and Failure,,3
,System,Audit Computer Account Management,,Success and Failure,,3
,System,Audit Other Account Management Events,,Success and Failure,,3
,System,Audit Security Group Management,,Success and Failure,,3
,System,Audit User Account Management,,Success and Failure,,3
,System,Audit Process Creation,,Success,,1
,System,Audit Logoff,,Success,,1
,System,Audit Logon,,Success and Failure,,3
,System,Audit Special Logon,,Success,,1
,System,Audit File System,,Failure,,2
,System,Audit Registry,,Failure,,2
,System,Audit Audit Policy Change,,Success and Failure,,3
,System,Audit Authentication Policy Change,,Success,,1
,System,Audit Sensitive Privilege Use,,Success and Failure,,3
,System,Audit IPsec Driver,,Success and Failure,,3
,System,Audit Security State Change,,Success and Failure,,3
,System,Audit Security System Extension,,Success and Failure,,3
,System,Audit System Integrity,,Success and Failure,,3