Consider the following scenario:
Default Domain Policy had local security auditing policies with very specific settings:
Audit account logon events Success, Failure
Audit account management Success
Audit directory service access Success
Audit logon events Success
Audit policy change Success,Failure
Audit privilege use Success
Audit process tracking Failure
Audit system events Success
These setting are working and applied across the domain to all workstations and servers (not domain controllers). A decision is made to alter the policy settings such that they revert to the default behavior for servers and workstations based on setting all of the audit policies to "Not Configured" in the Default Domain Policy. When put into effect, all servers and workstations that do not have explicitly defined local policies do not display "Not Configured" when the Default Domain Policy applied. Instead they all display "No Auditing", which is not what was set in the Default Domain Policy.
There is a big difference between "Not Configured" and "No Auditing". My hat's off to anyone that can provide an explanation as Microsoft India has been toiling to provide me an explanation for over two months. I've provided all kinds of diagnostic logs and they have had multiple people remotely connect and attempt to figure out what has happened, so far no explanation.
The domain is a mix of Windows 2003 and 2008 R8 domain controllers running @ Windows 2003 funtional level. The servers are a mix of 2003 through 2008 R2. The workstations are both Windows XP and 7. Explicitly setting the policies on a local server or workstation is allowed, and is one of the reasons the change was made in the first place. The expected behavior was that all computer getting hte policy applied would log events under the default setting for the O/S type as explained in each descrete audit policy, for example:
Audit logon events
This security setting determines whether the OS audits each instance of a user attempting to log on to or to log off to this computer.
Log off events are generated whenever a logged on user account's logon session is terminated. If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures).
Default values on Client editions:
Logon: Success
Logoff: Success
Account Lockout: Success
IPsec Main Mode: No Auditing
IPsec Quick Mode: No Auditing
IPsec Extended Mode: No Auditing
Special Logon: Success
Other Logon/Logoff Events: No Auditing
Network Policy Server: Success, Failure
What we got instead was a blank security log on all systems in the domain from the time the Default Domain Policy went into effect.