Re: Local Audit Policy - Administrator cannot change?

W

Wesley Vogel

and "Local Policies" have lock icons overlaid.

Those locks are just part of the whole icon, they don't mean anything.

Have a look at...

Administrative Templates\Windows Components\Microsoft Management Console\
Restrict users to the explicitly permitted list of snap-ins
http://www.boyce.us/gp/gpcontent.asp?ID=572

http://www.kellys-korner-xp.com/xp_tweaks.htm
296. Lift MMC/GPEDIT Snap-In Restrictions

Administrative Templates\Windows Components\Microsoft Management Console\
Restrict the user from entering author mode
http://www.boyce.us/gp/gpcontent.asp?ID=571

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
J

James Garrison

Wesley said:
Those locks are just part of the whole icon, they don't mean anything.

Have a look at...

Administrative Templates\Windows Components\Microsoft Management Console\
Restrict users to the explicitly permitted list of snap-ins
http://www.boyce.us/gp/gpcontent.asp?ID=572

http://www.kellys-korner-xp.com/xp_tweaks.htm
296. Lift MMC/GPEDIT Snap-In Restrictions

Administrative Templates\Windows Components\Microsoft Management Console\
Restrict the user from entering author mode
http://www.boyce.us/gp/gpcontent.asp?ID=571
Click to expand...

This is on Windows Server 2003. I did a complete search of the registry
and didn't find any of the keys referred to in the links you gave. In
fact, other than the keys defining the MMC objects and snapins, there
are no keys with an element name of mmc at all.

I'm trying to adjust a specific audit policy. I opened up an empty
MMC and added the Local Computer Policy snapin. The path to the
object I want to change is:

Local Computer Policy
Computer Configuration
Windows Settings
Security Settings
Local Policies
Audit Policies
Audit Object Access

I want to change it to log both success and failure, not just failure.
I can get to it just fine, but the dialog that comes up when I
double-click the object is grayed out and won't let me change it.

Do I need to make a complete custom policy template and apply it?
Is that the only way to tweak a single setting on a machine?
 
S

Steven L Umbach

It sounds like you have a domain /OU level GPO that is overriding the Local
Security Policy settings you want to change and that is why they are grayed
out. For domain controllers use Domain Controller Security Policy to set
audit policy. If not a domain controller run rsop.msc on that Windows 2003
server to see what GPO is applying those audit settings and then configure
them in that GPO to suit your needs or create a new GPO that is "closer" to
the Windows 2003 server and configure your settings there. Group Policy is
applied in this order where the last GPO applied wins if the same setting is
defined in multiple GPOs - local>site>domain>OU>child OU. --- Steve
 
J

James Garrison

Steven said:
It sounds like you have a domain /OU level GPO that is overriding the Local
Security Policy settings you want to change and that is why they are grayed
out. For domain controllers use Domain Controller Security Policy to set
audit policy. If not a domain controller run rsop.msc on that Windows 2003
server to see what GPO is applying those audit settings and then configure
them in that GPO to suit your needs or create a new GPO that is "closer" to
the Windows 2003 server and configure your settings there. Group Policy is
applied in this order where the last GPO applied wins if the same setting is
defined in multiple GPOs - local>site>domain>OU>child OU. --- Steve
Click to expand...

Aha - that's the piece I was missing.

RSOP shows that the Default Domain Policy is indeed the Source GPO.
So, I added a GPOE instance in MSC for the Default Domain Policy and
set the desired policy there. Should that automatically propagate to
the server in question (which is not a DC)? I refreshed RSOP and it's
not showing up there after 20 minutes or so. Do I need to reboot? I
tried logging off and back on but that didn't appear to have any effect.
 
S

Steven L Umbach

The new GPO would need to above the default domain GPO in the list of GPOs
linked to the domain container and then those settings would apply to all
domain computers. If that is not what you want then "filter" the new GPO so
that the apply permission for it only applies to a global group that
contains the domain computers you want it to apply to. If you want the audit
settings to apply to all domain computers it would be easier to just modify
Domain Security Policy.

Once you have done the changes you want then it will take up to a couple
hours for the changes to apply to the server unless you reboot it or run
gpupdate on it to force a refresh of Group Policy. Sometimes though it seems
that a reboot is needed if gpupdate does not do the trick. If you have a
Windows 2003 domain controller you can use the mmc snapin on it for RSOP in
modeling mode to see if you Group Policy settings configured correctly for
the target computer/user. --- Steve
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Looking for a way to disable ad hoc option from wirless in 1
Group policy setting 4
MMC won't cooperate: restoring registry settings? 1
XP LOCAL SECURITY POLICY PROBLEM 2
Restricting snap-ins 5
Local Policy Help 3
Looking to disable AD HOC option 3
How to use Group Policy Editor to disable Windows Installer 0

Top