Hi,
I am sorry for re-posting this in a new thread but the old thread has obviously been marked as answered so it seems no one reads it anymore. OK. I admit I was a bit stupid to make changes to default domain policy without testing them first. Anyway, I wanted to alter the audit policy on Windows Server 2008 R2 domain and forest functional level is Windows Server 2003) to audit files access on the network, so I switched Audit Object Access in Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy on, as I would do on Windows Server 2003.
I had no idea (my fault, I know) that Microsoft introduced new Advanced Audit Policy Configuration in Windows Server 2008 R2 edition. After applying changes my security log instantly started filling with 5145 event (Detailed File Share) so I started looking for solution to this problem online and some "expert" advised configuring Audit Detailed File Share subcategory of Advanced Audit Policy Configuration with Success and/or Failure check boxes cleared. So this "expert" did so and Security log stopped writing any logs. After this I disabled (set back to default values) both Audit Object Access in “old” audit policy and Audit Detailed File Share in Advanced Audit Policy but there was no result. auditpol /get /category:* returned No Auditing for all subcategories. To cut the long story short, after some research I realized that I will have to set all settings back manually (because I was so smart not to backup settings before messing with them) and I figured out how to do that thanks to this thread mostly so thank you a lot for that.Also, I’ve learnt my lesson and recreated the same scenario on virtual machine. First I turned Audit:Force audit policy subcategory settings (Windows Vista or later).... in Local Policies\Security Options on and set values to subcategories in Advanced Audit Policy Configuration using GP Editor. After running gpupdate /force, changes successfully applied. After I made changes using auditpol tool, they would disappear as soon as I would run gpupdate again and until I changed that key in the registryand switched Audit:Force audit policy subcategory settings (Windows Vista or later).... and then set all subcategories in Advanced Audit Policy Configuration to their default values (not configured) I could not make any changes to the policy using auditpoltool.Can anyone explain such behavior?Whatis the difference between altering settings using Group Policy Editor and auditpol command line tool and to what policy changes apply if you for example issue a command auditpol /setsubcategory: "Category_Name" /success:enable /failure:enable (Iam issuing those on a DC)?Also if I want Audit policy settings defined in Default Domain Policy to apply to Windows XP machines in the domain, do I have to define explicitly “old” audit settings through the GP editor?
NB