noticed a lot of "windows filtering platform" events on an 2008 r2 member server in a 2008 R2 domain. for grins, disabled windows filtering platform events on my GPO that sets audit settings. gpupdate on client, events stopped as desired. got rid of the windows filtering platform settings on the gpo, gpupdate on the client, events started again. ok. all working as expected. then i went in to the local security policy on this same member server and disabled the windows filtering platform auditing. events stopped. i realized *all* security events had stopped. did some research, found out that legacy auditing settings and advanced auditing settings can't live together. so i removed the windows filtering platform configuration from the local security settings on the client. gpupdate /force to get the group policy auditing settings back. they show up in rsop and gpresult /H. but it's still not auditing anything (this is an exchange server so there are constant logins). auditpol /get /category:/* shows no auditing on anything on this client. i Disabled the "force audit policy subcategory settings to override audit policy category settings" option. gpupdate /force on the client, still no auditing. auditpol /clear and gpupdate /force, still no auditing. group policy is refreshing ok. it's just not getting the auditing settings. this is only on the client where i configured local policy for a minute. when i do a gpupdate, i see a bunch of audit policy 4719 events in the security log, they just say "this/that/success/failure removed." i even made a benign change to the audit policy GPO to see if that would kickstart it, and that change does appear in rsop and gpresult /h. but no auditing. gpresult /H does show the local group policy in the "applied gpos" section, but none of the settings show "local group policy" as the winning gpo. how do i get this client to pick up the (legacy) audit settings in group policy again?

further review: when i do a gpupdate, i see 49 4719 events in one second, all adding auditing per my GPO settings. then i see one 6144 "other policy change events" event confirming that the two expected GPOs have been applied to the server. then the next second, i see 49 more 4719 events, all removing auditing. in the second between the first and second groups of 4719 events, i also see a handful of normal auditing events (logon logoff, object access, etc.). there is no 6144 event at the end of the second group of 49 "remove" 4719 events, so i can't tell where they are coming from. the security ID, Account name, account domain, and logon ID all look exactly the same as they do in all the events in the first group of 49 "add" 4719 events.

Hi, It seems you have tried to configure Windows Filtering Platform audit settings (belong to Advanced Audit Polices) in both GPO and local security policy. If you want to use Advanced Audit Polices, please understand that using both advanced and basic audit policy settings can cause unexpected results. If you use Advanced Audit Policy Configuration settings or use logon scripts (for computers running Windows Vista or Windows Server 2008) to apply advanced audit policy, be sure to enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored. For more information, please refer to: Advanced Security Auditing FAQ http://technet.microsoft.com/en-us/library/ff182311(v=ws.10).aspx Advanced Security Auditing in Windows 7 and Windows Server 2008 R2 http://social.technet.microsoft.com/wiki/contents/articles/advanced-security-auditing-in-windows-7-and-windows-server-2008-r2.aspx If this does not address the issue, please let us know more information: What policies have been enabled now? Do you use GPO or local security policy, or both? Regards, Bruce

nope. i *do not* want to configure advanced auditing settings. i tried them for about 30 seconds, and then i turned them off, and now the client won't re-apply the basic audit settings from the gpo. (the gpo *only* has basic audit settings). what i want is for this client to re-apply the basic audit settings from the gpo that it had prior to my 30 seconds of dabbling in advanced auditing settings. but it won't do this, even after i 1. removed all the advanced settings from the local security policy on the client 2. disabled the "force audit policy subcategory settings to override audit policy category settings" setting in the gpo (and 3. gpupdate /force /target:computer on the client. it seems like changing the advanced auditing settings even once on the local group policy "tattooed" the group policy engine on the client to ignore basic auditing settings, even though no auditing is configured in the local policy AND i disabled the setting for subcategory settings to override category settings. if i disable the Computer Configuration Settings on the properties of the local security policy, the computer correctly applies the basic audit settings from the GPO when i gpupdate.

Hi John Take a look at this article... http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx It might help you determine what's going on & includes example of how to put back to default.Douks

i saw that one, it's how i found out the new and the old don't play well. but i don't have a problem resetting back to default with auditpol /clear. again, my problem is getting the client machine to reapply basic auditing settings from group policy after after i've touched the advanced settings on its local security policy, even after i remove the advanced settings on the local security policy, and/or run auditpol /clear.

I know this doesn't solve your problem but important to note that auditpol /clear doesn't put back defaults - it clears all auditing settings. To get windows defaults back you need to back them up to file from a freshly installed machine (or one of your good servers) using auditpol /backup, and then import to this machine using auditpol /restore. Have you tried this?Douks

i don't even want windows defaults. what i want is to get the audit policy in the gpo that's been in place and working for years. here is the behavior on a second "good" machine in the same domain getting the same group polices as the trouble machine. i have never configured advanced audit policy on this machine. 1. auditpol /clear 2. auditpol /get /category:* yields no auditing on anything 3. gpupdate /force /target:computer 4. auditpol /get /category:* yields auditing corresponding with the gpo settings. again, on the trouble machine where i DID configure advanced auditing in the local policy, but then removed it, here is the behavior. 1. auditpol /clear 2. auditpol /get /category:* yields no auditing on anything 3. gpupdate /force /target:computer 4. auditpol /get /category:* yields no auditing on anything

Please confirm in the registry of toubled machine HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\SCENoApplyLegacyAuditPolicy is set to 0.Douks

yes it is. how do i clear *all* settings from the Local Security Policy, so that everything is unconfigured?

Look at your group policies in SYSVOL on your domain controller[s]. You specifically want to look here: \\domaincontroller\c$\WINDOWS\SYSVOL\domain\Policies\{policyID}\Machine\Microsoft\Windows NT\Audit There will be an audit.csv file in this path. You are safe to delete the entire Audit directory. Even though you disable Advanced Auditing, it leaves this file behind, and even if it's empty, it stops the legacy auditing from working. Forgot to mention, if this was on local policy, look here: %systemroot%\security\audit\audit.csv

there we go. i had to *delete* audit.csv from the local machine. "auditpol /clear" apparently wasn't enough. i had previously disabled the computer settings in the local security policy of the problem machine, since i don't use it anyway. this allowed the machine to apply the audit settings from group policy. but i would prefer not to have a one-off, and leave the local security policy at its default settings. after i deleted audit.csv from the machine, i re-enabled the computer settings in the local computer settings and refreshed group policy, and the machine re-applied the correct GPO auditing settings again. thanks guys.