3.2.5.6 Event Audit Policies

  • Article

If the DWORD registry value MACHINE\System\CurrentControlSet\Control\LSA\SCENoApplyLegacyAuditPolicy is set to 1 using the mechanism described in section 2.2.5, then the client-side plug-in MUST ignore any settings under the Event Audit Policies section and MUST NOT process them. If this registry value is set to 1, it indicates that the Advanced Audit Policies are present on the client.<10>

The value of the key element MUST be one of the values specified in the table in section 2.2.4; otherwise, the client MUST log an error and stop processing Event Audit Policies. The value element MUST be an integer; otherwise, the client logs an error and stop processing Event Audit Policies.

Settings in Event Audit Policies (section 2.2.4) MUST be set by performing the external behavior consistent with locally invoking LsarSetInformationPolicy (section 3.1.4.4.6) ([MS-LSAD] section 3.1.4.4.6).

  • The PolicyHandle MUST be set to a policy handle opened by performing external behavior consistent with locally invoking LsarOpenPolicy (section 3.1.4.4.2) ([MS-LSAD] section 3.1.4.4.2).

  • The InformationClass MUST be set to PolicyAuditEventsInformation.

  • The Buffers MUST be set with the settings in Event Audit Policies where the keys are mapped to the enumeration ([MS-LSAD] section 2.2.4.20) according to the following table.

    Group Policy: Security Protocol Extension

    Local Security Authority (Domain Policy) Remote Protocol

    AuditAccountManage

    AuditCategoryAccountManagement

    AuditDSAccess

    AuditCategoryDirectoryServiceAccess

    AuditAccountLogon

    AuditCategoryAccountLogon

    AuditLogonEvents

    AuditCategoryLogon

    AuditObjectAccess

    AuditCategoryObjectAccess

    AuditPolicyChange

    AuditCategoryPolicyChange

    AuditPrivilegeUse

    AuditCategoryPrivilegeUse

    AuditProcessTracking

    AuditCategoryDetailedTracking

    AuditSystemEvents

    AuditCategorySystem

In addition, the value of each setting (section 2.2.4) is mapped to the values of the EventAuditingOptions array ([MS-LSAD] section 2.2.4.4) according to the following table. If either of the two low-order bits of the value are set, then the value is mapped according to the value expressed by those bits. Otherwise, the values are mapped to POLICY_AUDIT_EVENT_NONE.

Group Policy: Security Protocol Extension

Local Security Authority (Domain Policy) Remote Protocol

0

POLICY_AUDIT_EVENT_NONE

1

POLICY_AUDIT_EVENT_SUCCESS | POLICY_AUDIT_EVENT_NONE

2

POLICY_AUDIT_EVENT_FAILURE | POLICY_AUDIT_EVENT_NONE

3

POLICY_AUDIT_EVENT_SUCCESS | POLICY_AUDIT_EVENT_FAILURE |POLICY_AUDIT_EVENT_NONE

4

POLICY_AUDIT_EVENT_NONE