Run netdaig on the problem server to see if all looks well particularly for dns,
domain membership, and dc list. Then run gpresult on it looking to see where computer
settings are being applied from and do the same on one of the other servers
[gpresult] that is working right to see if the results match. It certainly sounds as
if the local policy is being overridden by a policy with higher precedence. I wonder
if there is a GPO configured somewhere where the audit policy is being applied for
those servers that is using filtering to apply only to certain computers via the GPO
properties/security - read and apply permissions and the problem computer is not
included or is denied based on group membership or such. Gpresult may be able to
help track that down. Keep in mind that if there are multiple GPO's for an OU the one
highest in the list takes precedence. --- Steve
Beth Bergin said:
The settings are all set to No Auditing under both the Local setting
and the Effective setting. It is in the same OU as all the other
servers in the domain and is receiving all the other GPO settings we
have set to push down from the dc. (user rights assignments, security
options all show set under effective settings) This is a member server
in the domain, I tried pulling it completely out for a day and putting
it back but that did not work. I do see the GP getting applied a
couple of times every day (by looking in the event viewer->application
log->SceCli. The event says
Security policy in the group policy objects are applied successfully
What is kind of strange is that if I look at the security Event log
everytime the policy refreshes I get to log events. Both are 612
Policy Change events. The first one is
Audit Policy Change
New Policy
Success Failure
+ + Logon/Logoff
+ + Object Access
+ + Priviledge Use
and so on....
Then the next newest entry in the Security log (which according to the
log happens at exactly the same time) is also a 612 Policy change
event and looks like it changes everything back to not auditing
anything
Success Failure
- - Logon/Logoff
- - Object Access
- - Priviledge Use
and so on...
If i set the Audit Policy locally to log events it works until the
Domain Security policy is applied. Any thoughts?
"GX" <none@none.com> wrote in message