Windows Server Audit Policy Reset
I run across a very strange issue a few days ago and I feel that I should share it with you since it took me some time to figure it out!
Some Exchange servers had stopped recording events in the Security log. The first thing that crossed my mind was to check the latest event in the Security log that would probably be the event regarding the audit policy change. I was correct, there were many events with id 4719 that showed that the policy had been changed. The next step would be to update the policy in order to enable auditing.
There were servers that had auditing configured according the security baseline so I backed up the auditing configuration from one of them using the command:
Next I copied the file to the server with the issue and used the command:
to restore the settings. The command completed successfully and it was time to check the new auditing settings. For this I used the command:
Events had started to appear on the security log and everything seemed to be fine. After a few minutes the events had stopped on the security log and after I checked the auditing configuration all settings were set to disabled.
This led me to believe that there's a GPO configured that disables auditing. This was a longshot however since not all exchange servers were affected by this issue. I checked all the GPOs that had been applied to the affected servers but none of them had anything close to auditing settings.
A few bing searches later, I've come across an article that explained that when Advanced Audit Policy Configurations have been configured on a system, they overwrite the standard Audit Policies!
This didn't seem to be that case since there were no Advanced Audit Policies configured. This does not mean though that Advanced Audit Policies have never been set...
The server had been stuck in a state where it though that it had to apply Advanced Audit Policies event though it didn't this led to standard policies being disabled.
In order to resolve the issue, I renamed the following files on the server:
Some Exchange servers had stopped recording events in the Security log. The first thing that crossed my mind was to check the latest event in the Security log that would probably be the event regarding the audit policy change. I was correct, there were many events with id 4719 that showed that the policy had been changed. The next step would be to update the policy in order to enable auditing.
There were servers that had auditing configured according the security baseline so I backed up the auditing configuration from one of them using the command:
auditpol /backup /file:C:\Temp\Audit.txt
Next I copied the file to the server with the issue and used the command:
auditpol /restore /file:C:\Temp\Audit.txt
to restore the settings. The command completed successfully and it was time to check the new auditing settings. For this I used the command:
auditpol /get /category:*
Events had started to appear on the security log and everything seemed to be fine. After a few minutes the events had stopped on the security log and after I checked the auditing configuration all settings were set to disabled.
This led me to believe that there's a GPO configured that disables auditing. This was a longshot however since not all exchange servers were affected by this issue. I checked all the GPOs that had been applied to the affected servers but none of them had anything close to auditing settings.
A few bing searches later, I've come across an article that explained that when Advanced Audit Policy Configurations have been configured on a system, they overwrite the standard Audit Policies!
This didn't seem to be that case since there were no Advanced Audit Policies configured. This does not mean though that Advanced Audit Policies have never been set...
The server had been stuck in a state where it though that it had to apply Advanced Audit Policies event though it didn't this led to standard policies being disabled.
In order to resolve the issue, I renamed the following files on the server:
In case of local advanced audit policy configurations
- C:\Windows\Security\Audit\Audit.csv
- C:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\Audit.csv
- SYSVOL\Domain\Policies\{GPO GUID}\Machine\Microsoft\Windows NT\Audit\Audit.csv