This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 12%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
I was troubleshooting some advance group policy issue, some were getting applied some were not. So I ran auditpol.exe /clear in the problematic machine once. And now the advance audit policies are not getting applied even after I run repeated gpupdates & system reboots.
How can I enable Advance Auditing back after running clear command.
The machine is Windows Server 2019
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 17%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
As I did the same mistake. As everything was working fine but I run the advanced police. With that I lost alot of philips remote codes files. Now After that I also run the auto configuration of it but haven't recovered the system. With that I also cleared the extra policy configuration but all in vain. At the end I contacted to their support. The support team is quite humble. They guide me through a proper sequence by deleting some extra file the system start proper working and my lost data get recovered. So contact to the support team for better solution.
I got the answer to the problem. Advance Audit policies are only working from Default Domain Policy. If I do the settings on a separate GPO, it is not applying even if I enforce the GPO. Both GPOs are applied on the top domain level, the custom GPO works for other settings but fails for Advance auditing. When the settings are shifted to Default Domain Policy, auditing starts working.
This looks like bug which Microsoft may want to look at or is their any specific reason why this happens.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 42%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDT%3C/text%3E%3C/svg%3E)
Advanced Auditing will not work at all if the "Default Domain Policy" is missing its audit.csv file in the SYSVOL folder
{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\Audit
Even policies set locally via secpol.msc won't work!
To restore the audit.csv file, simply edit the "Default Domain Policy" and set any advanced audit setting. This recreates the audit.csv file in the SYSVOL path and you can immediately revert the change to the "Default Domain Policy".
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 80%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBR%3C/text%3E%3C/svg%3E)
That explains it David. Thanks for passing that on.
-Brent (formerly Brenticus-4216)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 60%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EU%3C/text%3E%3C/svg%3E)
Absolutely this. Thanks for dropping that info here, I was getting ready to murder something, so you saved an innocent life haha.
To resolve, here's the full process I used (DavidTrevor's answer + extra steps):
issue: Custom GPO wasnt showing advanced audit settings or working when GPO applied to device.
Solution:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 3%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJG%3C/text%3E%3C/svg%3E)
Thanks! Just ran into this issue and fixed it thanks to this post :)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 81%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Wanted to chime in here as this thread helped point me in the right direction, I've got a 2012R2 DFL domain and was implementing the Advanced Audit Policies on three different OUs. Unlike the OP I was able to get them working without using the Default Domain Policy entirely. However, there does seem to be a switch of some sort which is triggered by configuring them in the Default Domain Policy. It will become more clear with the review of my process:
Few things:
a. I've not checked to see if I'm then able to unconfigure the single Advanced Audit Policy setting in the Default Domain GPO and still retain functionality. My gut hunch is that it will revert back, and it's too much of a hassle when it's working fine with the single setting configured.
b. I believe this may be an issue that Microsoft has resolved, per update or subsequent version, however I've not been able to track that down. I've managed other domains with a 2012R2 DFL and above and I've not had the same issue. In other words, yet another thing to remember about Microsoft AD/GPO administration that seems to depend on unknown circumstances and is not as documented. Yay!!!! Lol
-Brent
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 32%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKK%3C/text%3E%3C/svg%3E)
I know this is old, but I wanted to chime in and thank you for this suggestion. I was having the issue where my advanced audit policies wouldn't apply in their own GPO. I changed the Default Domain policy to enable "Audit: Force audit policy subcategory
settings (Windows Vista or later) to override audit policy category settings" and one advanced logging option, and now my other policy is applying correctly. Thanks again for the idea!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 7.000000000000001%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
I did something conceptually similar to Brent, but on a per-machine basis. I found that if you set the audit settings on a sample machine, you can then copy the file in C:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\audit.csv to another machine, reboot, and it gets the correct audit settings. This allows you to get the settings you need, without having to monkey around with AD level GPOs, etc. We have BigFix to automate this, but SCCM or KACE would work too.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 0%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EML%3C/text%3E%3C/svg%3E)
Hi
Similar problem but I had probably another issue. Audit.csv located on both paths was corrupted (inside was a lot of spaces) so even gpresult showed advanced audit policies assigned it didn't worked. I have no time to study MS documentation but I suppose system tries to merge domain GPO with local and in this case when this file is corrupted shows No auditing for all audits.
To fix it simply overwrite audit.csv files with correct one or even empty (if you want only domain GPO)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hello,
Thank you so much for your feedback.
So glad to hear that the advanced audit settings started working when they were shifted to Default Domain Policy. If we did the settings on a separate GPO, it would still be applied. Below is my test, and we could kindly have a check.
1, Created the OU (such as OU for computers) and added the computers into this OU.
2, Created a GPO and linked to the above OU (The GPO was named Advanced audit policy).
3, Edited the GPO and configured the settings, such as Audit Credential Validation set to Success and Failure, Audit Security System Extension set to success.
4, Logged on to the computer and refresh the group policy via command gpupdate /force.
5, Checked the gpresult that the GPO was applied successfully.
6, Then check the audit policy via command auditpol /get /category:* and we could see that the settings were applied.
7, Last check the Event Viewer, and we could see that some events were logged.
Hope the information is helpful. Thank you so much for your time.
Best regards,
Hannah Xiong