Microsoft Reduce Customer Effort Center

Our team drives product feedback based on solid data, it drives proactive issue prevention and ultimately, drives improvements around products based on customer feedback.

SecPol can't detect the audit policy’s change that modified through auditpol command

SecPol can't detect the audit policy’s change that modified through auditpol command

  • Comments 1
  • Likes

Auditpol command and secpol UI display inconsistent auditing policy result. If you modify some audit policy through auditpol command, the secpol can't detect this change. (Win2008 R2 SP1 RC still have this issue)

Repro Steps:
1.    in order to describe this issue more exactly, we use one of the audit policy(“logon/logoff”) as an example.
2.    First ,type “auditpol /clear” in your command prompt with administrative privilege to reset all the auditing setting to default value.
3.    Run “auditpol /get /category:*” to make sure the “logon/logoff” policy was not configured, and also run ”secpol.msc” to make sure the “logon/logoff” policy under advanced audit policy configuration was not configured.
4.    Run “auditpol /set /category:”logon/logoff” /success:enable” to modify this policy.
5.    Run “gpupdate /force”
Then we can see the inconsistent result between the auditpol command prompt and the secpol.msc UI.
Run “auditpol /get /category:*”  in command prompt, from the output we can see the “logon/logoff” policy was modified. But from the secpol.msc UI the “logon/logoff” policy was still not configured

it seems the secpol UI can't detect the change made through auditpol command , so it make the inconsistent output between these two tools. Hope the fix will be published soon.

Comments
  • This bug has been driving me around the bend. Now I don't know which to believe...

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment