I'm trying to enable Kerberos Authentication auditing in a GPO for the purpose of sending auth events to an AD-integrated web filter appliance, and the instructions have me enable auditing of the Kerberos Authentication services by going to:
Computer Configuration
> Policies
> Windows Settings
> Security Settings
> Advanced Audit Policy Configuration
> System Audit Policies - Local Group Policy Object
> Account Logon
> Audit Kerberos Authentication Service
But when I look at my GPO objects (for example, "Default Domain Controller Policy"), I don't even see the "Advanced Audit Policy Configuration" node under "Security Settings".
I've searched every way I know how to find out if this advanced node is an something that needs to be enabled somehow or if there's some other reason why it wouldn't be showing up, but I'm coming up empty. Everything I've found just talks about it like it should always be there…
This is in a Windows Server 2008 functional level domain/forest, if that matters.
Any help is greatly appreciated.
EDIT 1: Prompted by the answer below from TheCleaner, I realized that our DCs are all 2008, not R2 (the last remaining 2008s in our organization), and this is a feature new to 2008 R2.
I tried installing GPMC on a 2008 R2 member server and setting the policy there, but it doesn't look like it's being applied to the 2008 DCs, even after a gpupdate /force (I will try rebooting tonight to see if that helps).
Is this audit policy setting ("Audit Kerberos Authentication Service" > "Success" enabled) available elsewhere in 2008, or was it a new policy settings added in 2008 R2?
EDIT 2: This TechNet article seems to indicate that the policy setting is only available on Windows 6.1 (Win7/2008R2), but that the audit events should appear on anything 6.0 (Vista/2008) and up…
Should I be more patient waiting for the GPO to be applied, or just wait until the reboot?
EDIT 3: Okay, 4 out of my 5 DCs (all running 2008) are now respecting the "Audit Kerberos Authentication Service" audit policy and are generating the security log events that I need for this to work. I was given clearance to reboot the one DC that still isn't showing the Kerberos audit events, and it's still not showing them.
Ordinarily I would do an RSoP or gpresult to see which settings are being/not being applied to this DC and why, but in this case, both omit the "Advanced Audit Policy Configuration" settings, even when run remotely on the R2 server I used to configure them…
Any suggestions for troubleshooting 2008-applicable GPO settings that don't show up in the 2008 GPMC?
Best Answer
On a 2008 R2 DC, in GPMC, it should be there by default (make sure you are using the GPMC within a 2008 R2 DC). Are you actually looking down far enough? It's at the bottom of the list.
You can try right clicking "Security Settings" and choose reload if you don't see it, but by default it is in 2008 R2.