Advanced Audit Policy not getting applied on 2012 R2

Solution 1:

I realize this is an older question, and that you resolved the issue a different way, however, the reason it wasn't working originally was due to "Audit: Force audit policy subcategory settings" being enabled. As explained in this article on Technet:

The lack of Object Access auditing is expected: as soon as you start applying Advanced Audit Configuration Policy, legacy policies will be completely ignored. The only way to get a Win7/R2 computer to start using legacy policy is to set the security policy “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings” to DISABLED. That disables the use of the newer policy type. Then you must clear the existing advanced policy from the machines (auditpol.pol /clear, having a blank audit.csv file, etc). The system isn't optimal, but the intention was never for you to go back.

Solution 2:

I solved it by the following procedure:

  • Set every advanced audit configuration item to "Not configured"
  • Run gpupdate /force on the relevant systems
  • Re-set all advanced audit configuration according to your requirements

I have created the failing GPO from a template which already had set the advanced audit settings. I guess there was an internal mismatch of the GUIDs...

Solution 3:

Old post but I just had and worked through the same problem and did not have success with the accepted solution.

@matze got me thinking about the backend of the Audit Policy process. I found the following article which laid out the process in wonderful detail (I highly recommend the read): https://blogs.technet.microsoft.com/askds/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2/

In review, I found that the %systemroot%\system32\grouppolicy\machine\microsoft\windows nt\audit\audit.csv file was updating correctly but the %systemroot%\security\audit\audit.csv file had a timestamp from years ago.

In looking at the properties, c:\windows\security\audit\audit.csv was set to Read-Only which apparently was preventing the OS from updating the file.

To resolve I did the following:

  1. I removed the 'read only' attribute
  2. Used GPEdit to export the Advanced Audit Policy settings and manually set everything to not configured.
  3. Used Auditpol /backup /file:<file> to make a backup of the Auditpol
  4. Used auditpol /clear to clear the Auditpol
  5. Gpupdate /force
  6. auditpol /get /category:* to ensure everything was cleared
  7. Re-imported the Advanced Audit Policy settings into GPEdit
  8. Gpupdate /force
  9. auditpol /get /category:* to ensure everything was set correctly again

To confirm the fix, I made a change to a setting in GPEDIT, gpupdate again, auditpol /get again. The change showed up correctly.