FYI at 2:25 you shouldn't need to have your default domain policy set to enforced. This means that any and all policies in an OU after it will NOT get the new policy if they are conflicting. I spent MONTHS trying to reverse engineer all the bad practices that were done because of this..
It sadly does not, cos that is actually what I need. But it only monitors actions of a current day. Meaning, you would have to save all the reports of that given day. cos the next day, it will not have the ones from yesterday anymore but then start with new events from the new day
I'm going to cut you some slack on the annnnnnnd and Okays but you should really not force your audience to listen to it by dropping timestamps in the description, that would be so awesome.
LOL - this comment made me think of Dude Where's My Car - "And then....." - NO AND THEN!....."And then...." - NO AND THEN!....just made me watch this video with my mind swapping our And then with OK.
Quick question, Perhaps you can clear my confusion. I have deployed a GPO that has the "Audit Object Access" enabled or say the "File Share" subcategory under Advanced Audit Policy settings enabled and now if i run a gupdate on my domain joined clients i see that the RSOP.msc shows these new settings in effect on the client. But why does running "Local Security Policy" mmc or secpol.msc on the same client still then shows AUDIT OBJECT ACCESS or the FILE SHARE settings as "Not configured" ? Shoudn't the Local Security snap-in then show these 2 settings as greyed out because i have enabled audit on them via a domain GPO ?
Thank you for the question and it is interesting... because you have used gpupdate /force and then you are stating the status. As we all know the precedence of group policy objects is: 1. Local, 2. Site, 3. Domain 4. OU. So the later ones override the previous ones. So, my first point would be to reboot one of those computers (as gpupdate is a bit unstable sometimes and needs the reboot) and then see if the domain precedence is working. Let me know what is your status. If need be I could recreate your scenario to test outcomes.
Thanks for responding. I have rebooted my clients and there is no change in the result. I have tried replicating it in a lab environment and i am getting the same results. Can you try replicating it on your end ? I wish there was an option to share screenshots here, else i would have done that with you. This is what i am experiencing: - Try deploying any "Advanced Audit Policy Configuration" to your domain joined pc's. I for instance enabled Success and Failure for "File System" and "File Share" sub categories under Advanced. - Upon doing a "gpupdate /force" OR rebooting the client PC's, you will notice that "gpresult /H report.html" command shows the new GPO settings being applied. However, if you open up the Local Security Policy , these Audit settings that you just pushed in the GPO show as "NOT CONFIGURED" and it lets you manually configure it. These should be grayed out in theory because we have deployed the GPO for the same. Trying running a RSOP.msc on the client and it does not even show the Advanced Audit Policy Configuration option . Try running " auditpol /get /category:* " command on the client and the output shows correctly that under Object Access category >> both File System and File Share show as "Success and Failure" So in a nutshell how is it that auditpol shows the correct output while rsop and secpol.msc both don't reflect or don't show any of the settings i deployed
showed all basic config but still NOTHING really on getting the file to show up in event viewer. The auditing process is just overall terrible, thanx Microsoft fucking POS
