I recently discovered that all of our Domain controllers (2008 R2, domain and forest fuctional level is 2008 R2) are no longer logging AD account logon events to the Security Log.
The Default Domain Controllers GPO:
Audit account logon events – Success,Failure
Audit account management events – Success,Failure
Audit directory serfvice access – Success
Audit Account logon events – Success,Failure
Audit system events – Success,Failure
The RSOP shows the above policy as being the winning GPO.
Group policy manangement console resulting wizard shows the above policy as the winner as well.
When I run auditpol /get category:* I get the following results:
System audit policy
Category/Subcategory Setting
Logon/Logoff
Logon No Auditing
Logoff No Auditing
Account Lockout No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events No Auditing
Account Management
User Account Management No Auditing
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service No Auditing
Credential Validation No Auditing
All other categories are "No Auditing" as well.
Am I missing anything obvious?
Or am I going to have to set the Advanced Audit Policy settings?
Best Answer
You should use the Advanced Audit Policy. They give you better control over what you audit. Here is a link to the difference between the basic policy and advanced policy https://technet.microsoft.com/en-us/library/ff182311%28v=ws.10%29.aspx#BKMK_2
If you need a reference on what options in the Advanced Audit Policy to set refer to a baseline like CIS https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2008_R2_Benchmark_v2.1.0.pdf