noticed a lot of "windows filtering platform" events on an 2008 r2 member server in a 2008 R2 domain.
for grins, disabled windows filtering platform events on my GPO that sets audit settings. gpupdate on client, events stopped as desired. got rid of the windows filtering platform settings on the gpo, gpupdate on the client, events started again. ok. all working as expected.
then i went in to the local security policy on this same member server and disabled the windows filtering platform auditing. events stopped. i realized *all* security events had stopped. did some research, found out that legacy auditing settings and advanced auditing settings can't live together. so i removed the windows filtering platform configuration from the local security settings on the client. gpupdate /force to get the group policy auditing settings back. they show up in rsop and gpresult /H. but it's still not auditing anything (this is an exchange server so there are constant logins). auditpol /get /category:/* shows no auditing on anything on this client. i Disabled the "force audit policy subcategory settings to override audit policy category settings" option. gpupdate /force on the client, still no auditing. auditpol /clear and gpupdate /force, still no auditing. group policy is refreshing ok. it's just not getting the auditing settings. this is only on the client where i configured local policy for a minute. when i do a gpupdate, i see a bunch of audit policy 4719 events in the security log, they just say "this/that/success/failure removed." i even made a benign change to the audit policy GPO to see if that would kickstart it, and that change does appear in rsop and gpresult /h. but no auditing. gpresult /H does show the local group policy in the "applied gpos" section, but none of the settings show "local group policy" as the winning gpo.
how do i get this client to pick up the (legacy) audit settings in group policy again?