Security auditing settings are not applied to Windows Vista-based and Window Server 2008-based computers when you deploy a domain-based policy

Article ID: 921468 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

Consider the following scenario. You deploy a domain-based policy to configure security auditing settings on Windows Vista-based or Windows Server 2008-based computers in an Active Directory directory service domain. You run the Resultant Set of Policy (RSoP) tool on one of the Windows Vista-based or Windows Server 2008-based computers. When you do this, the RSoP tool indicates that the policy is being applied. However, the policy is not actually applied to one or more Windows Vista-based or Windows Server 2008-based computers.
Back to the top | Give Feedback

CAUSE

This issue occurs if the "Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" policy setting is enabled in Windows Vista or in Windows Server 2008. The policy setting can be enabled by using Group Policy or it can be enabled manually by modifying the registry.
Back to the top | Give Feedback

RESOLUTION

To resolve this issue, use one of the following methods, as appropriate for your situation.

Method 1: Disable the policy setting by using Group Policy Object Editor

Verify that the policy setting was enabled by using Group Policy, and then disable the policy setting by using Group Policy Object Editor. To do this, follow these steps:
  1. Verify that the "Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" policy setting was enabled by using Group Policy. To do this, follow these steps:
    1. On the computer, click Start, point to All Programs, click Accessories, click Run, type rsop.msc in the Open box, and then click OK.
    2. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
    3. Double-click Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
    4. Verify that the policy setting is set to Enabled, and then note the Group Policy object (GPO).
  2. Disable the "Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" policy setting in the GPO. To do this, follow these steps:
    1. In Group Policy Object Editor, open the GPO.
    2. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
    3. Double-click Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
    4. Click Disabled, and then click OK.
  3. Restart the computer or computers.

Method 2: Disable the policy setting by using Registry Editor

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756
(http://support.microsoft.com/kb/322756/ )
How to back up and restore the registry in Windows
To manually disable the policy setting by using Registry Editor, follow these steps:
  1. Log on to Windows Vista or Windows Server 2008 as a user who is a member of the Administrators group.
  2. Click Start, point to All Programs, click Accessories, click Run, type regedit in the Open box, and then click OK. If the User Account Control dialog box is displayed on the screen and prompts you to elevate your administrator token, click Continue.
  3. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
  4. Right-click SCENoApplyLegacyAuditPolicy, and then click Modify.
  5. Type 0 in the Value data box, and then click OK.
  6. Exit Registry Editor.
  7. Restart the computer.
Note If the policy is a domain-based policy, and it is not a locally-based policy, you may have to wait for Active Directory replication and SYSVOL replication to complete before the policy settings take effect on the computers.
Back to the top | Give Feedback

MORE INFORMATION

Windows Vista and later versions of Windows enable you to manage audit policies in a more precise manner by using audit policy subcategories. If you configure audit policies at the category level, you override audit policy subcategories.

If you want to manage audit policies by using audit policy subcategories, and you do not want to use Group Policy, you can configure the SCENoApplyLegacyAuditPolicy registry entry. When you configure the SCENoApplyLegacyAuditPolicy registry entry, you prevent category-level audit policies that were configured by using either Group Policy or the Local Security Policy tool from being applied.

However, be aware that the policy setting may not be enforced if a different policy is configured to override the category-level audit policy. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
921469
(http://support.microsoft.com/kb/921469/ )
How to use Group Policy to configure detailed security auditing settings for Windows Vista client computers in a Windows Server 2003 or Windows 2000 domain
Back to the top | Give Feedback

Properties

Article ID: 921468 - Last Review: November 13, 2006 - Revision: 2.5
APPLIES TO
  • Windows Vista Ultimate
  • Windows Vista Business
  • Windows Vista Enterprise
  • Windows Server 2008 Standard
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Datacenter
Keywords: 
kbregistry kbexpertiseinter kbtshoot kbprb KB921468
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top