Domain Audit Policy not applying to one server

[Beth Bergin]

We have an Active Directory domain that has 19 Windows 2000 servers.
We apply a GPO from the domain to all the servers and we have one
server that has just recently stopped getting the Audit Policy
effective settings from the GPO. All other policies are getting
applied from the GPO (user rights, security options) Does anyone know
why this might be happening just on this one server? I tried pulling
it from the domain and rejoining it but that didn't work.

 

[GX]

Beth,

what setting is it getting? is this on the same OU as the other servers?
Member server or DC?

 

[Beth Bergin]

The settings are all set to No Auditing under both the Local setting
and the Effective setting. It is in the same OU as all the other
servers in the domain and is receiving all the other GPO settings we
have set to push down from the dc. (user rights assignments, security
options all show set under effective settings) This is a member server
in the domain, I tried pulling it completely out for a day and putting
it back but that did not work. I do see the GP getting applied a
couple of times every day (by looking in the event viewer->application
log->SceCli. The event says

Security policy in the group policy objects are applied successfully

What is kind of strange is that if I look at the security Event log
everytime the policy refreshes I get to log events. Both are 612
Policy Change events. The first one is
Audit Policy Change
New Policy
Success Failure
+ + Logon/Logoff
+ + Object Access
+ + Priviledge Use
and so on....
Then the next newest entry in the Security log (which according to the
log happens at exactly the same time) is also a 612 Policy change
event and looks like it changes everything back to not auditing
anything
Success Failure
- - Logon/Logoff
- - Object Access
- - Priviledge Use
and so on...
If i set the Audit Policy locally to log events it works until the
Domain Security policy is applied. Any thoughts?

 

[Steven L Umbach]

Run netdaig on the problem server to see if all looks well particularly for dns,
domain membership, and dc list. Then run gpresult on it looking to see where computer
settings are being applied from and do the same on one of the other servers
[gpresult] that is working right to see if the results match. It certainly sounds as
if the local policy is being overridden by a policy with higher precedence. I wonder
if there is a GPO configured somewhere where the audit policy is being applied for
those servers that is using filtering to apply only to certain computers via the GPO
properties/security - read and apply permissions and the problem computer is not
included or is denied based on group membership or such. Gpresult may be able to
help track that down. Keep in mind that if there are multiple GPO's for an OU the one
highest in the list takes precedence. --- Steve

 

[Beth Bergin]

I ran netdiag (everything was fine) Then I ran gpresult on the problem
server and also on another server in the domain that is not having the
problem. The only difference I see is between the gpresults is:
Server that isn't receiving properly
The computer received "Security" settings from these GPOs:

Local Group Policy
Revision Number: 27
Unique Name: Local Group Policy
Domain Name:
Linked to: Local computer

Default Domain Policy
Revision Number: 311
Unique Name: {31B2F340-016D-11D2-945F-00C04FB984F9}
Domain Name: DOM.FB
Linked to: Domain (DC=DOM,DC=FB)

Win2KBaseline
Revision Number: 206
Unique Name: {33EA3AD8-3435-448E-868F-9043840DBC7B}
Domain Name: DOM.FB
Linked to: Organizational Unit (OU=CENTRAL,DC=DOM,DC=FB)

Server that is receiving properly
The computer received "Security" settings from these GPOs:

Default Domain Policy
Revision Number: 311
Unique Name: {31B2F340-016D-11D2-945F-00C04FB984F9}
Domain Name: DOM.FB
Linked to: Domain (DC=DOM,DC=FB)

Win2KBaseline
Revision Number: 206
Unique Name: {33EA3AD8-3435-448E-868F-9043840DBC7B}
Domain Name: DOM.FB
Linked to: Organizational Unit (OU=CENTRAL,DC=DOM,DC=FB)
Does the problem have to do with the extra setting (Revision number
27)?

Run netdaig on the problem server to see if all looks well particularly for dns,
domain membership, and dc list. Then run gpresult on it looking to see where computer
settings are being applied from and do the same on one of the other servers
[gpresult] that is working right to see if the results match. It certainly sounds as
if the local policy is being overridden by a policy with higher precedence. I wonder
if there is a GPO configured somewhere where the audit policy is being applied for
those servers that is using filtering to apply only to certain computers via the GPO
properties/security - read and apply permissions and the problem computer is not
included or is denied based on group membership or such. Gpresult may be able to
help track that down. Keep in mind that if there are multiple GPO's for an OU the one
highest in the list takes precedence. --- Steve

The settings are all set to No Auditing under both the Local setting
and the Effective setting. It is in the same OU as all the other
servers in the domain and is receiving all the other GPO settings we
have set to push down from the dc. (user rights assignments, security
options all show set under effective settings) This is a member server
in the domain, I tried pulling it completely out for a day and putting
it back but that did not work. I do see the GP getting applied a
couple of times every day (by looking in the event viewer->application
log->SceCli. The event says

Security policy in the group policy objects are applied successfully

What is kind of strange is that if I look at the security Event log
everytime the policy refreshes I get to log events. Both are 612
Policy Change events. The first one is
Audit Policy Change
New Policy
Success Failure
+ + Logon/Logoff
+ + Object Access
+ + Priviledge Use
and so on....
Then the next newest entry in the Security log (which according to the
log happens at exactly the same time) is also a 612 Policy change
event and looks like it changes everything back to not auditing
anything
Success Failure
- - Logon/Logoff
- - Object Access
- - Priviledge Use
and so on...
If i set the Audit Policy locally to log events it works until the
Domain Security policy is applied. Any thoughts?

"GX" <[email protected]> wrote in message