Otdfbt

Is using 'echo' to display attacker-controlled data on the terminal dangerous?

Should I refuse being named as co-author of a bad quality paper?

Which languages would be most useful in Europe at the end of the 19th century?

Non-aqueous eyes?

Whats the meaning of enp#s#f#?

Scientist couple raises alien baby

Should I put programming books I wrote a few years ago on my resume?

Creating an Output vs. snipping tool

Why can I traceroute to this IP address, but not ping?

If there's something that implicates the president why is there then a national security issue? (John Dowd)

Bb13b9 confusion

Someone whose aspirations exceed abilities or means

What is the color of artificial intelligence?

How do free-speech protections in the United States apply in public to corporate misrepresentations?

Explain the ending of Black Mirror's "Smithereens"

I have a problematic assistant manager, but I can't fire him

Why was this person allowed to become Grand Maester?

Why Does Mama Coco Look Old After Going to the Other World?

Printing Pascal’s triangle for n number of rows in Python

How can I remove material from this wood beam?

60s or 70s novel about Empire of Man making 1st contact with 1st discovered alien race

Who won a Game of Bar Dice?

Insert external file and modify each line from script

Can the removal of a duty-free sales trolley result in a measurable reduction in emissions?

Command to Get Security Audit settings

Firewall define program exceptions Group Policy not applyingTracking local user accounts for security auditMissing Account audit events on DC'sCommand line tool for listing audit policy settingsEditing local Windows Firewall Policy via PowershellCannot RDP into Windows Server 2016: 0x80090302get audit settings file or directoryWindows registry subkey creation not generating logs (Windows event ID 4657)Windows 10 enable Firewall logging via gpo

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

0

Im looking to retrieve the Security audit configuration on a domain joined PC which has audit settings applied Via a domain GPO, but im getting - what seems to be - conflicting results. If i run an RSOP, i see the aduting settings, but Auditpol /get /category:"Logon/Logoff" shows No Auditing. Likewise the local security policy UI, or an secedit export all show No Auditing (AuditLogonEvents = 0). See screenshot below. I know there's a legacy and advanced version of auditing which could be determined by the SCENoApplyLegacyAuditPolicy reg key under HKLMSystemCurrentControlSetControlLSA but i dont see the key at all on this machine in question. How could i accurately fetch the auditing settings under any scenario?

windows group-policy audit

share|improve this question

edited May 24 at 17:53

Joe

asked May 24 at 15:07

JoeJoe

1315

add a comment | 

0

Im looking to retrieve the Security audit configuration on a domain joined PC which has audit settings applied Via a domain GPO, but im getting - what seems to be - conflicting results. If i run an RSOP, i see the aduting settings, but Auditpol /get /category:"Logon/Logoff" shows No Auditing. Likewise the local security policy UI, or an secedit export all show No Auditing (AuditLogonEvents = 0). See screenshot below. I know there's a legacy and advanced version of auditing which could be determined by the SCENoApplyLegacyAuditPolicy reg key under HKLMSystemCurrentControlSetControlLSA but i dont see the key at all on this machine in question. How could i accurately fetch the auditing settings under any scenario?

windows group-policy audit

share|improve this question

edited May 24 at 17:53

Joe

asked May 24 at 15:07

JoeJoe

1315

add a comment | 

Im looking to retrieve the Security audit configuration on a domain joined PC which has audit settings applied Via a domain GPO, but im getting - what seems to be - conflicting results. If i run an RSOP, i see the aduting settings, but Auditpol /get /category:"Logon/Logoff" shows No Auditing. Likewise the local security policy UI, or an secedit export all show No Auditing (AuditLogonEvents = 0). See screenshot below. I know there's a legacy and advanced version of auditing which could be determined by the SCENoApplyLegacyAuditPolicy reg key under HKLMSystemCurrentControlSetControlLSA but i dont see the key at all on this machine in question. How could i accurately fetch the auditing settings under any scenario?

windows group-policy audit

share|improve this question

edited May 24 at 17:53

Joe

asked May 24 at 15:07

JoeJoe

1315

share|improve this question

edited May 24 at 17:53

Joe

asked May 24 at 15:07

JoeJoe

1315

share|improve this question

edited May 24 at 17:53

Joe

asked May 24 at 15:07

JoeJoe

1315

asked May 24 at 15:07

JoeJoe

1315

asked May 24 at 15:07

JoeJoe

1315

1 Answer
1

active

oldest

votes

0

Auditpol is for Advanced Audit Policy settings.

The policy settings configured in the screenshot are legacy audit policy settings. To view those use:

secedit /export /areas SECURITYPOLICY /cfg Filename.txt

share|improve this answer

answered May 24 at 17:32

Greg AskewGreg Askew

29.4k33770

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Hi Greg, I added a second screenshot which shows that the secedit export is also showing no auditing.
  
  – Joe
  May 24 at 17:54
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If you want to use legacy audit policies, the registry value needs to be set to 0.
  
  – Greg Askew
  May 24 at 19:38
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  So if i understand you correctly, unless i've got the reg setting set, the audit settings showing in RSOP are not actually applied?
  
  – Joe
  May 24 at 19:40
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Correct. This has been a well known issue for a long time and is documented here: support.microsoft.com/en-us/help/921468/… .
  
  – Greg Askew
  May 25 at 14:36
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f968733%2fcommand-to-get-security-audit-settings%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

Auditpol is for Advanced Audit Policy settings.

The policy settings configured in the screenshot are legacy audit policy settings. To view those use:

secedit /export /areas SECURITYPOLICY /cfg Filename.txt

share|improve this answer

answered May 24 at 17:32

Greg AskewGreg Askew

29.4k33770

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Hi Greg, I added a second screenshot which shows that the secedit export is also showing no auditing.
  
  – Joe
  May 24 at 17:54
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If you want to use legacy audit policies, the registry value needs to be set to 0.
  
  – Greg Askew
  May 24 at 19:38
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  So if i understand you correctly, unless i've got the reg setting set, the audit settings showing in RSOP are not actually applied?
  
  – Joe
  May 24 at 19:40
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Correct. This has been a well known issue for a long time and is documented here: support.microsoft.com/en-us/help/921468/… .
  
  – Greg Askew
  May 25 at 14:36
  

  
  
  
  

add a comment | 

0

Auditpol is for Advanced Audit Policy settings.

The policy settings configured in the screenshot are legacy audit policy settings. To view those use:

secedit /export /areas SECURITYPOLICY /cfg Filename.txt

share|improve this answer

answered May 24 at 17:32

Greg AskewGreg Askew

29.4k33770

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Hi Greg, I added a second screenshot which shows that the secedit export is also showing no auditing.
  
  – Joe
  May 24 at 17:54
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If you want to use legacy audit policies, the registry value needs to be set to 0.
  
  – Greg Askew
  May 24 at 19:38
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  So if i understand you correctly, unless i've got the reg setting set, the audit settings showing in RSOP are not actually applied?
  
  – Joe
  May 24 at 19:40
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Correct. This has been a well known issue for a long time and is documented here: support.microsoft.com/en-us/help/921468/… .
  
  – Greg Askew
  May 25 at 14:36
  

  
  
  
  

add a comment | 

Auditpol is for Advanced Audit Policy settings.

The policy settings configured in the screenshot are legacy audit policy settings. To view those use:

secedit /export /areas SECURITYPOLICY /cfg Filename.txt

share|improve this answer

answered May 24 at 17:32

Greg AskewGreg Askew

29.4k33770

secedit /export /areas SECURITYPOLICY /cfg Filename.txt

share|improve this answer

answered May 24 at 17:32

Greg AskewGreg Askew

29.4k33770

answered May 24 at 17:32

Greg AskewGreg Askew

29.4k33770

answered May 24 at 17:32

Greg AskewGreg Askew

29.4k33770