AuditPol and Local Security Policy results may differ
This article helps fix an issue where audit policy settings with AuditPol and the Local Security Policy (SECPOL.msc) show different results.
Applies to: Windows Server 2012 R2
Original KB number: 2573113
Symptoms
When viewing audit policy settings with AuditPol and the Local Security Policy (SECPOL.msc), the settings may show different results.
Cause
AuditPol directly calls authorization APIs to implement the changes to the granular audit policy. Secpol.msc manipulates the Local Group Policy Object, which results in writing the changes to %SYSTEMROOT%\system32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\Audit.csv. The settings saved to the .csv file aren't applied directly to the system at the time of modification, but are instead written to the file and read later by the client-side extension (CSE). At the next group policy refresh cycle, the CSE applies the modifications that are present in the .csv file.
Secpol.msc displays what is set in the local GPO. There's no "effective settings" view in secpol.msc that will merge granular AuditPol settings and what is defined locally as seen with secpol.msc.
Resolution
From an administrative command prompt, you can use AuditPol to view the defined auditing settings by running:
auditpol /get /category:*
More information
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for