Hi guys,
We have basically no auditing on our 2008 R2 Domain Controllers. It was working fine. When I get on the DCs and run gpresult /r I can see that the default domain controller GPO is getting applied and is not being filtered. When I go into rsop.msc on the DCs, I can look up auditing and see the correct policy settings coming from the Default Domain Controller policy, but those settings have a red X on them. An example is
(Red X)Policy:Audit account logon events Computer Setting: Success,Faulre Source GPO: Default Domain Controllers Policy
I know that Group policy auditing can get a lot more granular with 2008R2, butI am getting almost nothing in the daily security logs. When I do run gpresult /h and output the settings look correct there(no red X). In RSOP, when I do go to properties on one Red X settings, it says "the policy engine did not attempt to configure the setting" Any ideas?
In the winlogon.log it mentions "Legacy audit settings are disabled. skipped configuration of legacy audit settings"
This is my guess as to the problem. We do have an Advanced Audit Configuration setting set and so maybe the legacy policies were ignored.
As soon as you start applying Advanced Audit Configuration Policy, legacy policieswill be completely ignored. The only way to get a Win7/R2 computer to start using legacy policy is to set the security policy“Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings” to DISABLED. - http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx
Dan Heim