windows-server-2008-r2 – 错误配置的高级审计策略;回归基本?

我无法相信我这样做……我在GPO中制定了一项高级审计政策,并关闭了所有基本政策. From Technet

After you apply advanced audit policy settings by using Group Policy,you can only reliably set system audit policy for the computer by using the advanced audit policy settings.

对我来说似乎很奇怪,没有办法说,“没关系,回到基本的审计”.我们不会将整个网络恢复到旧备份,因为自更改实施以来已经太久了.

在服务器故障中询问了similar question,但答案似乎是“配置高级审计以执行相同的方式”.如果我别无选择,我会这样做,但我更愿意实际恢复基本审计.

好吧,似乎我找到了答案.将子类别设置设置为“已禁用”很重要.在回答的评论链接technet article表明配置不正确……这让我感到沮丧.

http://jmfcomputers.co.uk/blog/?p=202开始

In order to roll back you will need to do the following:

◦ Reset all of your local advanced audit settings. If you did this via GPO,reset the settings in this GPO.

◦ On the 2008 machine use “auditpol /clear” to clear any locally set policies.

◦ You must set the local policy “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings” to DISABLED@H_403_24@. When you do this and it is applied you will see the registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa – SCENoApplyLegacyAuditPolicy = 0 (DWORD)

◦ Then you need to delete the audit.csv files. For domain based policy this will be in SYSVOL

◦ \[Domain]\sysvol[Domain]\Policies{GUID}\Machine\Microsoft\Windows NT\Audit

◦ For local policies delete the Audit.csv from all of these locations. Some may be hidden,but they are there!!

◦ C:\Windows\security\audit

◦ C:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit

Now reboot or “gpupdate /force” and you should be back to the start again.

Incidentally,once you have got the 2008 R2 machine applying the old Audit policies again I would advise setting the policy “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings” back to the default of not defined. This way when you move forward with the Advanced Audit settings in the future via GPO you will not have cases where 2008 R2 servers that have this setting disabled that were ”fixed” then will not apply the new advanced audit settings. In order to do this just delete the SCENoApplyLegacyAuditPolicy DWORD value. You will see in the local policy that this has set the policy back to “not defined”.

这似乎已将审计恢复到在我们的网络上启用高级审计之前的程度.

相关文章

(1)when you ping a computer from itsafe,the ping command should return the local IP address. (...
1、点击win菜单,点击设置图标 2、选择系统选项 3、选择应用与程序选项 4、拉到最下方,选择程序与功能...
目前一直直接往Windows 2008 R2 Server中复制文件(暂时还没有搭建ftp服务),突然不能复制了,于是百度...
windows下使用vscode配合xebug调试php脚本 要下载有php_xebug.dll扩展的版本,最新版可能没有这个扩展,p...
在控制面板的程序与功能里启用和关闭windows功能打开,适用于linux的windows子系统
效果演示 推荐一个非常牛的文档网站生成器:docsify 我通过这个工具,成功将码云上的个人学习笔记发布到...