Audit Polices not being applied?

If you notice that your "auditing policy's" are not being applied after being included in your group policy, so it looks like this, if you run secpol.msc and check "Audit Policy" you computer says this:

If you open one of these Audit policies you will see that the option is enable is greyed out and you get one of the causes of this issue right there in the red box:

However in your GPO applied to the server it says this.......

And you can confirm that with a RSOP policy trace as you can see below:

If you can confirm it with this command you will also see nothing is happening as its all "Not Audited"

auditpol /get /category:*

This is the visual...do not forget to start this as an administrator (seriously)

SCENoApplyLegacyAuditPolicy Problem

Therefore what is going on is GPO is saying on thing but that is being applied is another thing, well that has something to do this with a couple of issues, the first being this Security Option called "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" which is seen here:

This will cause a key called SCENoApplyLegacyAuditPolicy in the location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa to be setup to "1" as you can see here:

This will disable the old legacy audit policies as it expecting "Advanced Group Policy" to replace it which can you can read about here - however this does not just include Server 2008, its a little more interesting than that.

If you set the Advanced Group policy for Account Logon as you can see below, which will cause it to say "Configured"

When you restart the secpol.msc window you will notice that it now shows the correct group policy you are expecting and the events are logged once again, this means "Advanced Group Policy" is overriding the original legacy Audit policy.

Ensure you are patches and updated - yes really!

However this alone is not the issue in itself, as to get these updated you need to ensure you have the latest hotfixes and updates installed, so on a server that has all the updates installed as you can see below, this was an issue with the legacy policy saying not applied......

However if you have a server that is not patched like this one for example, which has been purposely left unpatched for this article and therefore has received no patches since 2020-09 - which is not a good place to be by any measures…..

You will see these policies are not affected by the key as this server is missing lots of updates, so the fix for the issue is a simple solution...... patch the server, as having out of date, Windows updates is a security nightmare…..

Summary

If you are confused what you need to do, then the first but of advice is ensure your servers are patched, seriously not really new advice, but its good advice in this case.

The registry key is an indicator of the issue, but does not mean its the cause, you can disable this Audit policy as below, by setting it disabled.

Deploy Advanced Group Policy Auditing

However that is really masking the issue, what you really need to do is create a new advanced group policy GPO and deploy that, this way the legacy policy does not matter as the new advanced group policy will then apply the legacy settings, plus you have more control over this settings.

Below show one that covers the legacy audit policy for the older servers, and the newly defined advanced group policy for this case Account Login - see below in the GPO you can break down exactly what you would like.........

Then once applied and deployed you can check that on the member servers with the command from ealier:

auditpol /get /category:*

This should confirm what is set in the GPO policy as below: