Microsoft KB Archive/324739

= How to use Group Policy to audit registry keys in Windows Server 2003 =

Article ID: 324739

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition

-



This article was previously published under Q324739



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

For a Microsoft Windows 2000 version of this article, see 315416.

IN THIS TASK

 * SUMMARY
 * Create a Group Policy Object
 * Turn On Auditing in Group Policy
 * Turn On Auditing on a Domain Controller
 * Turn On Auditing on a Computer That Is Not a Member of a Domain
 * Audit a Registry Key
 * Use a Security Template to Audit Registry Keys
 * Create a Security Template
 * Apply the Security Template
 * Troubleshooting



SUMMARY
This article describes how to use Group Policy to configure auditing of Windows registry keys.

back to the top

Create a Group Policy Object
To create a Group Policy object (GPO) that you can use to turn on auditing in a domain, follow these steps:
 * 1) Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) Right-click your domain, and then click Properties.
 * 3) Click the Group Policy tab, and then click New.
 * 4) Type the name that you want to use for this policy (for example, Enable auditing policy ), and then press ENTER.
 * 5) Click Properties, and then click the Security tab.
 * 6) Click to clear the Allow check box next to Apply Group Policy for the security groups that you want to prevent from having this policy applied.
 * 7) Click to select the Allow check box next to Apply Group Policy for the groups to which you want to apply this policy, and then click OK.
 * 8) Click OK, click OK again, and then quit Active Directory Users and Computers.

back to the top

Turn On Auditing in Group Policy
If auditing is not already turned on, you must turn it on. In a domain, turn on auditing in a GPO that is linked to the domain. On either a server or a workstation that is not a member of the domain, turn on auditing in a local GPO.

back to the top

Turn On Auditing on a Domain Controller

 * 1) Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) Right-click your domain, and then click Properties.
 * 3) Click the Group Policy tab, click the Group Policy object that you want to use, and then click Edit.
 * 4) Under Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy.
 * 5) In the right pane, double-click Audit object access.
 * 6) Click to select the Define these policy settings check box, click to select the Success check box, click to select the Failure check box, and then click OK.

NOTE: The Audit object access policy setting is enough to turn on auditing for the Windows registry.
 * 1) Quit the Group Policy Object Editor snap-in, and then click Close.

back to the top

Turn On Auditing on a Computer That Is Not a Member of a Domain

 * 1) Click Start, and then click Run.
 * 2) In the Open box, type gpedit.msc, and then click OK.
 * 3) Under Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy.
 * 4) In the right pane, double-click Audit object access.
 * 5) Click to select the Success check box, click to select the Failure check box, and then click OK.

NOTE: The Audit object access policy is enough to turn on auditing for the Windows registry.
 * 1) Quit the Group Policy Object Editor snap-in.

back to the top

Audit a Registry Key
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.


 * 1) Click Start, and then click Run.
 * 2) In the Open box, type regedit, and then click OK.
 * 3) Locate and click the registry key that you want to audit, for example:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 * 1) On the Edit menu, click Permissions.
 * 2) Click Advanced, click the Auditing tab, and then click Add.
 * 3) Type the user account or group whose access to this registry key you want to audit, click Check Names to verify the name, and then click OK.
 * 4) In the Apply onto box, click the option that you want.
 * 5) Click to select the Successful and Failed check boxes next to the following access types:

Set Value

Create Subkey
 * 1) Click OK, and then click OK.

You may receive the following message:

The current Audit Policy for this computer does not have auditing turned on. If this computer receives audit policy from the domain, please ask a domain administrator to turn on auditing using Group Policy Editor. Otherwise, use the Local Computer Policy Editor to configure the audit policy locally on this computer.

If auditing is not turned on, you must turn it on by following the steps in the Turn On Auditing in Group Policy section of this article.
 * 1) Click OK
 * 2) Quit Registry Editor.

Audit events are displayed in the Security log of Event Viewer.

back to the top

Use a Security Template to Audit Registry Keys
You can also use a security template to audit registry keys. To configure the audit policy, either create a custom security template or modify an existing template, and then use Group Policy to apply this template to multiple computers in a domain or an organizational unit (OU).

back to the top

Create a Security Template
To create a new security template or to modify an existing template, follow these steps:  Click Start, and then click Run. In the Open box, type mmc, and then click OK. On the File menu, click Add/Remove Snap-in. Click Add, click Security Templates, click Add, click Close, and then click OK. In the console tree, expand Security Templates, and then expand  :\WINDOWS\Security\Templates, where  is the drive on which Windows is installed. Do one of the following:

 If you want to modify an existing template, expand the template that you want to use, for example, hisecws (high-security workstation template).

</li> If you want to create a new security template, follow these steps:

<ol style="list-style-type: lower-alpha;"> Right-click  :\WINDOWS\Security\Templates, and then click New Template.</li> Type a name for the template in the Template name box, and then click OK.</li> Expand the new template that you created.</li></ol> </li></ul> </li> Right-click Registry, and then click Add Key.</li> In the Registry list, click the registry key that you want to use, and then click OK. For example:

MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</li> Click Advanced, click the Auditing tab, and then click Add.</li> Type the user account or group whose access to this registry key you want to audit, click Check Names to verify the name, and then click OK.</li> In the Apply onto box, click the option that you want.</li> Click to select the Successful and Failed check boxes next to the type of access that you want to audit for either the selected user or the selected security group, and then click OK.

For example, click to select the Successful and Failed check boxes next to Set Value.</li> Click OK.

If you receive the following message, click OK:

The current Audit Policy for this computer does not have auditing turned on. If this computer receives audit policy from the domain, please ask a domain administrator to turn on auditing using Group Policy Editor. Otherwise, use the Local Computer Policy Editor to configure the audit policy locally on this computer.</li> Click OK, and then click OK.</li> Expand Local Policies, and then click Audit Policy.</li> In the right pane, double-click Audit object access</li> Click to select Define these policy settings in the template check box, click to select the Success check box, click to select the Failure check box, and then click OK.

NOTE: The Audit object access policy setting is enough to turn on auditing for the Windows registry.</li> <li>Quit the Security Templates snap-in.</li> <li>If a Save Security Templates dialog box is displayed, click Yes to save the custom security template that you created.</li></ol>

back to the top

Apply the Security Template
Use Group Policy to apply the security template that contains the audit policy that you configured. To do so, follow these steps: <ol> <li>Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.</li> <li>Do one of the following:

<ul> <li>If you want to apply the security template to the whole domain, right-click the domain, and then click Properties.

-or-</li> <li>If you want to apply the security templates to an organizational unit, expand the domain, right-click the organizational unit, and then click Properties.</li></ul> </li> <li>Create a GPO to use to apply the security template. To do so:

<ol style="list-style-type: lower-alpha;"> <li>Click the Group Policy tab.</li> <li>Click New.</li> <li>Type a name for the GPO in the New Group Policy Object box (for example, Apply Audit Policy Security Template ), and then press ENTER.</li></ol> </li> <li>Click Edit.</li> <li>Under Computer Configuration, expand Windows Settings, right-click Security Settings, and then click Import Policy.</li> <li>Click the security template that you created, click to select the Clear this database before importing check box, and then click Open.

NOTE: When the Clear this database before importing check box is selected, all of the security settings in the GPO are replaced with those of the security template that you import.</li> <li>Quit the Group Policy Object Editor snap-in, and then click Close.</li> <li>Quit Active Directory Users and Computers.</li></ol>

back to the top

Troubleshooting
After you configure auditing, the service may not work. This behavior can occur for any of the following reasons:
 * A site, a domain, or an organizational unit policy setting overrides the audit policy that you configured. To troubleshoot this issue, follow these steps:


 * Click Start, and then click Run.
 * In the Open box, type gpedit.msc, and then click OK.
 * Under Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy.
 * In the right pane, view the item in the Security Setting column of the policy that you want to use.

If the security setting of the policy is No auditing, a higher-level GPO may be overriding the audit policy setting that you configured. To confirm this behavior, view the higher-level GPO items that are linked to either the organizational unit or to the domain for possible conflicts.
 * Click to select the Audit these attempts check box, click to select the Success check box, click to select the Failure check box, and then click OK.

NOTE: The Audit object access policy setting is enough to turn on auditing for the Windows registry.
 * Quit the Group Policy Object Editor snap-in.
 * A GPO that overrides the audit policy setting has a higher priority. To troubleshoot this issue, follow these steps:


 * Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
 * In the console tree, right-click your domain, and then click Properties.
 * Click the Group Policy tab. View the Group Policy Objects Links list.

Items that are higher in the list override other lower-level items.
 * If the GPO that contains your audit policy setting is listed below a higher-priority GPO item that turns off auditing, do one of the following steps:


 * Click the GPO that contains the audit policy setting that you want to use, and then click Up to move it above the higher-priority item in the list.

WARNING: Make sure that other settings in your GPO do not conflict with the settings in the GPO items that are listed below it.

-or-
 * Edit the GPO items that are listed above the GPO that contains the audit policy setting to remove conflicting policy settings.

NOTE: You may want to combine the audit settings from one GPO with those of a higher-level GPO to resolve the audit policy conflict and to reduce the number of GPO items.
 * When you are finished, click OK, and then click Exit on the File menu.
 * The site, the domain, or the organizational unit policy setting that contains the audit policy setting has not replicated to other computers. To resolve this issue, use the Secedit.exe command-line utility to force Group Policy to be refreshed.

back to the top

<div class="references_section">