Microsoft KB Archive/921469

= How to use Group Policy to configure detailed security auditing settings for Windows Vista client computers in a Windows Server 2003 domain or in a Windows 2000 domain =

Article ID: 921469

Article Last Modified on 11/30/2006

-

APPLIES TO


 * Windows Vista Ultimate
 * Windows Vista Business
 * Windows Vista Enterprise

-



SUMMARY
''This article describes how to use Group Policy to configure security auditing settings for Microsoft Windows Vista client computers in a Windows Server 2003 domain or in a Windows 2000 domain. Windows Vista lets you manage audit policies at a more detailed level by using audit policy subcategories. This article describes a procedure that administrators can use to deploy a custom audit policy that applies detailed security auditing settings for Windows Vista client computers.''



INTRODUCTION
This article discusses how to use Group Policy to configure detailed security auditing settings for Windows Vista client computers in a Windows Server 2003 domain or in a Windows 2000 domain. In Windows Vista, you have more control over individual audit policy subcategories than you have in earlier versions of Windows operating systems. The individual audit policy subcategories that are available in Windows Vista are not exposed in the interface of Group Policy tools. Administrators can use the procedure that is described in this article to deploy a custom audit policy that applies detailed security auditing settings to Windows Vista client computers in a Windows Server 2003 domain or in a Windows 2000 domain.



Things to consider
The following are some things to consider before you perform the procedure that this article discusses:
 * The procedure uses sample code. The sample code uses the Netlogon share. Additionally, the sample code uses the %SystemRoot%\Temp folder as the cache.
 * The procedure uses the Contoso.com sample domain.
 * The procedure assumes that the following conditions are true:
 * You are familiar with the following technologies and tools:
 * Group Policy startup scripts
 * Group Policy Management Console
 * The Auditpol.exe command-line tool
 * You have a basic understanding of batch file processing.
 * You can configure one audit policy for Windows Vista client computers in a Windows Server 2003 domain or in a Windows 2000 domain. The audit policy is assigned to the Default Domain Policy.
 * You are familiar with the scripts that the procedure uses work to override legacy domain-based audit policy settings with the detailed audit policy settings that are available in Windows Vista. If you do not want to configure the detailed audit policy settings that are available in Windows Vista, do not use the procedure that this article discusses.

Use Group Policy to configure detailed security auditing settings for Windows Vista client computers
To use Group Policy to configure detailed security auditing settings for Windows Vista client computers in a Windows Server 2003 domain or in a Windows 2000 domain, follow these steps.

Step 1: Determine the security auditing settings that you want to deploy to Windows Vista client computers
 Log on to a computer that is running Windows Vista as a user who has administrator credentials. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. In the User Account Control dialog box, click Continue. Flush the default audit policy settings. To do this, type the following line at the command prompt, and then press ENTER:

auditpol /clear

 Use the Auditpol.exe command-line tool to configure the custom audit policy settings that you want.

For example, type the following lines at the command prompt. Press ENTER after each line.

auditpol /set /subcategory:&quot;user account management&quot; /success:enable /failure:enable

auditpol /set /subcategory:&quot;logon&quot; /success:enable /failure:enable

auditpol /set /subcategory:&quot;IPSEC Main Mode&quot; /failure:enable

Note To see all possible categories and subcategories, type the following line at the command prompt, and then press ENTER:

auditpol /list /subcategory:*

 Type the following line at the command prompt, and then press ENTER:

auditpol /backup /file:auditpolicy.txt

 Copy the Auditpolicy.txt file to the Netlogon share of the domain controller that holds the primary domain controller (PDC) emulator role in the domain.

The Auditpolicy.txt file contains all the audit policy settings that you configured. The startup script uses this file to reapply the policy. After you successfully apply the startup script one time, you do not have to restart the computer to update audit policy settings. To update audit policy settings, overwrite the earlier version of the Auditpolicy.txt file that you copied to the Netlogon share. To do this, create a new Auditpolicy.txt file, and then copy the new Auditpolicy.txt file to the Netlogon share.</li></ol>

Step 2: Prevent the legacy domain audit policy from overwriting the audit policy on Windows Vista client computers
To prevent the legacy domain policy from overwriting the audit policy, you must enable the Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting. This prevents domain-based audit policy from overwriting the more detailed audit policy settings on Windows Vista client computers. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> On a Windows Vista client computer that is joined to the domain, open the Default Domain Policy.</li> Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.</li> Double-click Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.</li> Click Enabled, and then click OK.</li></ol>

Step 3: Create the scripts, and then add the scripts to the Netlogon share
Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements. <ol style="list-style-type: lower-alpha;"> Create the AuditPolicy.cmd script. To do this, follow these steps: <ol> Start Notepad, and then open a blank document.</li>  Paste the following code to the document in Notepad: @echo off

REM AuditPolicy.cmd REM (c) 2006 Microsoft Corporation. All rights reserved. REM Sample Audit Script to deploy Windows Vista REM Granular Audit Policy settings.

REM Should be run as a startup script from Group Policy

REM ################################################### REM Declare Variables so that we only need to edit file REM names/paths in one location in script REM ###################################################

set AuditPolicyLog=%systemroot%\temp\auditpolicy.log set OSVersionSwap=%systemroot%\temp\osversionwap.txt set OsVersionTxt=%systemroot%\temp\osversion.txt set MachineDomainTxt=%systemroot%\temp\machinedomain.txt set MachineDomainSwap=%systemroot%\temp\machinedomainSwap.txt set ApplyAuditPolicyCMD=applyauditpolicy.cmd set AuditPolicyTxt=auditpolicy.txt

REM ################################################### REM Clear Log & start fresh REM ###################################################

if exist %AuditPolicyLog% del %AuditPolicyLog% /q /f date /t > %AuditPolicyLog% & time /t >> %AuditPolicyLog% echo.

REM ################################################### REM Check OS Version REM ###################################################

ver | findstr &quot;[&quot; > %OSVersionSwap% for /f &quot;tokens=2 delims=[&quot; %%i in (%OSVersionSwap%) do echo %%i > %OsVersionTxt% for /f &quot;tokens=2 delims=] &quot; %%i in (%OsVersionTxt%) do set osversion=%%i echo OS Version=%osversion% >> %AuditPolicyLog%

REM ################################################### REM Skip Pre-Vista REM ###################################################

if &quot;%osversion%&quot; LSS &quot;6.0&quot; exit /b 1

REM ################################################### REM Get Domain Name REM ###################################################

WMIC /namespace:\\root\cimv2 path Win32_ComputerSystem get domain /format:list > %MachineDomainSwap% find /i &quot;Domain=&quot; %MachineDomainSwap% > %MachineDomainTxt% for /f &quot;Tokens=2 Delims==&quot; %%i in (%MachineDomainTxt%) do set machinedomain=%%i echo Machine domain=%machinedomain% >> %AuditPolicyLog%

REM ################################################### REM Copy Script & Policy to Local Directory or Terminate REM ###################################################

xcopy \\%machinedomain%\netlogon\%ApplyAuditPolicyCMD% %systemroot%\temp\*.* /r /h /v /y if %ERRORLEVEL% NEQ 0 (   echo Could not read \\%machinedomain%\netlogon\%ApplyAuditPolicyCMD% >> %AuditPolicyLog%    exit /b 1 ) else (    echo Copied \\%machinedomain%\netlogon\%ApplyAuditPolicyCMD% to %systemroot%\temp >> %AuditPolicyLog% )

xcopy \\%machinedomain%\netlogon\%AuditPolicyTxt% %systemroot%\temp\*.* /r /h /v /y if %ERRORLEVEL% NEQ 0 (   echo Could not read \\%machinedomain%\netlogon\%AuditPolicyTxt% >> %AuditPolicyLog%    exit /b 1 ) else (    echo Copied \\%machinedomain%\netlogon\%AuditPolicyTxt% to %systemroot%\temp >> %AuditPolicyLog% )

REM ################################################### REM Create Named Scheduled Task to Apply Policy REM ###################################################

%systemroot%\system32\schtasks.exe /create /ru System /tn audit /sc hourly /mo 1 /f /rl highest /tr &quot;%systemroot%\temp\%ApplyAuditPolicyCMD%&quot; if %ERRORLEVEL% NEQ 0 (   echo Failed to create scheduled task for Audit >> %AuditPolicyLog%    exit /b 1 ) else (    echo Created scheduled task for Audit >> %AuditPolicyLog% )

REM ################################################### REM Start Named Scheduled Task to Apply Policy REM ###################################################

%systemroot%\system32\schtasks.exe /run /tn audit if %ERRORLEVEL% NEQ 0 (   Failed to execute scheduled task for Audit >> %AuditPolicyLog% ) else (    echo Executed scheduled task for Audit >> %AuditPolicyLog% ) </li> On the File menu, click Save.</li> In the Save as type box, click All Files, type AuditPolicy.cmd in the File name box, and then click Save.</li></ol> </li> Create the ApplyAuditPolicy.cmd script. To do this, follow these steps: <ol> Start Notepad, and then open a blank document.</li>  Paste the following code to the document in Notepad: @echo off

REM ApplyAuditPolicy.cmd REM (c) 2006 Microsoft Corporation. All rights reserved. REM Sample Audit Script to deploy Windows Vista REM Granular Audit Policy settings.

REM ################################################### REM Declare Variables so that we only need to edit file REM names/paths in one location in script REM ###################################################

set DeleteAudit=DeleteAudit.txt set AuditPolicyLog=%systemroot%\temp\AuditPolicy.log set ApplyAuditPolicyLog=%systemroot%\temp\ApplyAuditPolicy.log set OSVersionSwap=%systemroot%\temp\osversionwap.txt set OsVersionTxt=%systemroot%\temp\osversion.txt set MachineDomainTxt=%systemroot%\temp\machinedomain.txt set MachineDomainSwap=%systemroot%\temp\machinedomainSwap.txt set ApplyAuditPolicyCMD=ApplyAuditpolicy.cmd set AuditPolicyTxt=AuditPolicy.txt

REM ################################################### REM Clear Log & start fresh REM ###################################################

if exist %ApplyAuditPolicyLog% del %ApplyAuditPolicyLog% /q /f date /t > %ApplyAuditPolicyLog% & time /t >> %ApplyAuditPolicyLog% echo.

REM ################################################### REM Check OS Version REM ###################################################

ver | findstr &quot;[&quot; > %OSVersionSwap% for /f &quot;tokens=2 delims=[&quot; %%i in (%OSVersionSwap%) do echo %%i > %OsVersionTxt% for /f &quot;tokens=2 delims=] &quot; %%i in (%OsVersionTxt%) do set osversion=%%i echo OS Version=%osversion% >> %ApplyAuditPolicyLog%

REM ################################################### REM Skip Pre-Vista REM ###################################################

if &quot;%osversion%&quot; LSS &quot;6.0&quot; exit /b 1

REM ################################################### REM Get Domain Name REM ###################################################

WMIC /namespace:\\root\cimv2 path Win32_ComputerSystem get domain /format:list > %MachineDomainSwap% find /i &quot;Domain=&quot; %MachineDomainSwap% > %MachineDomainTxt% for /f &quot;Tokens=2 Delims==&quot; %%i in (%MachineDomainTxt%) do set machinedomain=%%i echo Machine domain=%machinedomain% >> %ApplyAuditPolicyLog%

REM ################################################### REM Delete Audit Task REM Should only be used to remove the pseudo-policy from REM client machines (designed for future Vista revisions REM where this script will no longer be necessary, and this REM script needs to be backed out).

REM to use, simply create a file in NETLOGON with a name REM that matches the contents of DeleteAudit variable (above) REM ###################################################

if exist \\%machinedomain%\netlogon\%DeleteAudit% (   %systemroot%\system32\schtasks.exe /delete /tn &quot;Audit&quot; /F    DEL %AuditPolicyLog%    DEL %ApplyAuditPolicyLog%    DEL %OSVersionSwap%    DEL %OsVersionTxt%    DEL %MachineDomainTxt%    DEL %MachineDomainSwap%    DEL %systemroot%\temp\%ApplyAuditPolicyCMD%    DEL %systemroot%\temp\%AuditPolicyTxt%    exit /b 1 )

REM ################################################### REM Copy Audit Policy to Local Directory REM This is tolerant of failures since the copy is just REM a &quot;cache refresh&quot;. REM ###################################################

xcopy \\%machinedomain%\netlogon\%AuditPolicyTxt% %systemroot%\temp\*.* /r /h /v /y if %ERRORLEVEL% NEQ 0 (   echo Could not read \\%machinedomain%\netlogon\%AuditPolicyTxt% so using previous cached copy>> %ApplyAuditPolicyLog% ) else (    echo Copied \\%machinedomain%\netlogon\%AuditPolicyTxt% to %systemroot%\temp >> %ApplyAuditPolicyLog% )

REM ################################################### REM Apply Policy REM ###################################################

%systemroot%\system32\auditpol.exe /restore /file:%systemroot%\temp\%AuditPolicyTxt% if %ERRORLEVEL% NEQ 0 (   Failed to apply audit settings >> %ApplyAuditPolicyLog% ) else (    echo Successfully applied audit settings >> %ApplyAuditPolicyLog% ) </li> On the File menu, click Save.</li> In the Save as type box, click All Files, type ApplyAuditPolicy.cmd in the File name box, and then click Save.</li></ol> </li> Copy the AuditPolicy.cmd script and the ApplyAuditPolicy.cmd script to the Netlogon share of the domain controller that holds the PDC emulator role in the domain.</li> <li>Wait until Active Directory replication occurs. Also, wait until the files and folders in the system volume (SYSVOL) shared folder replicate on domain controllers in the domain.</li> <li>Add the startup script to the Default Domain Policy. To do this, follow these steps: <ol> <li>Start the Active Directory Users and Computers tool.</li> <li>Right-click, and then click Properties.</li> <li>Click the Group Policy tab, click Default Domain Policy, and then click Edit. The Group Policy Object Editor tool starts.</li> <li>Expand Computer Configuration, expand Windows Settings, and then click Scripts (Startup/Shutdown).</li> <li>Double-click Startup, and then click Add.</li> <li>In the Script Name box, type the universal naming convention (UNC) path of the AuditPolicy.cmd file that is located in the Netlogon share. Use the following format:

\\ \Netlogon\AuditPolicy.cmd

For example, type \\contoso.com\netlogon\auditpolicy.cmd .</li> <li>Click OK two times.</li></ol> </li></ol>

Step 4: Verify that the security auditing settings are successfully applied
<ol style="list-style-type: lower-alpha;"> <li>Wait until Active Directory replication occurs. Also, wait until the files and folders in the system volume (SYSVOL) shared folder replicate on domain controllers in the domain.</li> <li>Restart a Windows Vista client computer that is joined to the domain. Then, log on to the computer as a user who has administrator credentials.</li> <li>Click Start, point to All Programs, and then click Accessories.</li> <li>Right-click Command Prompt, and then click Run as administrator.</li> <li>In the User Account Control dialog box, click Continue.</li> <li>Type the following line at the command prompt, and then press ENTER:

auditpol /get /category:*

</li> <li>Verify that the security auditing settings that are displayed at the command prompt match the settings that are configured in the AuditPolicy.txt file that you created in &quot;Step 1: Determine the security auditing settings that you want to deploy to Windows Vista client computers.&quot;

If the security auditing settings do not match, examine the log files that are generated by the startup script in the %SystemRoot%\Temp folder. If no log files exist in the %SystemRoot%\Temp folder, examine the Windows Vista client computer to determine why Group Policy was not applied.</li></ol>

<div class="references_section">