MORE INFORMATION

Things to consider

The following are some things to consider before you perform the procedure that this article discusses:

• The procedure uses sample code. The sample code uses the Netlogon share. Additionally, the sample code uses the %SystemRoot%\Temp folder as the cache.
• The procedure uses the Contoso.com sample domain.
• The procedure assumes that the following conditions are true:
  • You are familiar with the following technologies and tools:
    • Group Policy startup scripts
    • Group Policy Management Console
    • The Auditpol.exe command-line tool
  • You have a basic understanding of batch file processing.
  • You can configure one audit policy for Windows Vista client computers in a Windows Server 2003 domain or in a Windows 2000 domain. The audit policy is assigned to the Default Domain Policy.
• You are familiar with the scripts that the procedure uses work to override legacy domain-based audit policy settings with the detailed audit policy settings that are available in Windows Vista. If you do not want to configure the detailed audit policy settings that are available in Windows Vista, do not use the procedure that this article discusses.

Use Group Policy to configure detailed security auditing settings for Windows Vista client computers

To use Group Policy to configure detailed security auditing settings for Windows Vista client computers in a Windows Server 2003 domain or in a Windows 2000 domain, follow these steps.

Step 1: Determine the security auditing settings that you want to deploy to Windows Vista client computers

1. Log on to a computer that is running Windows Vista as a user who has administrator credentials.
2. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
3. In the User Account Control dialog box, click Continue.
4. Flush the default audit policy settings. To do this, type the following line at the command prompt, and then press ENTER:

   auditpol /clear

5. Use the Auditpol.exe command-line tool to configure the custom audit policy settings that you want.
   
   For example, type the following lines at the command prompt. Press ENTER after each line.

   auditpol /set /subcategory:"user account management" /success:enable /failure:enable

   auditpol /set /subcategory:"logon" /success:enable /failure:enable

   auditpol /set /subcategory:"IPSEC Main Mode" /failure:enable

   Note To see all possible categories and subcategories, type the following line at the command prompt, and then press ENTER:

   auditpol /list /subcategory:*

6. Type the following line at the command prompt, and then press ENTER:

   auditpol /backup /file:auditpolicy.txt

7. Copy the Auditpolicy.txt file to the Netlogon share of the domain controller that holds the primary domain controller (PDC) emulator role in the domain.
   
   The Auditpolicy.txt file contains all the audit policy settings that you configured. The startup script uses this file to reapply the policy. After you successfully apply the startup script one time, you do not have to restart the computer to update audit policy settings. To update audit policy settings, overwrite the earlier version of the Auditpolicy.txt file that you copied to the Netlogon share. To do this, create a new Auditpolicy.txt file, and then copy the new Auditpolicy.txt file to the Netlogon share.

Step 2: Prevent the legacy domain audit policy from overwriting the audit policy on Windows Vista client computers

To prevent the legacy domain policy from overwriting the audit policy, you must enable the Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting. This prevents domain-based audit policy from overwriting the more detailed audit policy settings on Windows Vista client computers. To do this, follow these steps:

1. On a Windows Vista client computer that is joined to the domain, open the Default Domain Policy.
2. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
3. Double-click Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
4. Click Enabled, and then click OK.

Step 3: Create the scripts, and then add the scripts to the Netlogon share

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

1. Create the AuditPolicy.cmd script. To do this, follow these steps:
   1. Start Notepad, and then open a blank document.

   2. Paste the following code to the document in Notepad:

      @echo off
      
      REM AuditPolicy.cmd
      REM (c) 2006 Microsoft Corporation.  All rights reserved.
      REM Sample Audit Script to deploy Windows Vista
      REM Granular Audit Policy settings.
      
      REM Should be run as a startup script from Group Policy
      
      REM ###################################################
      REM Declare Variables so that we only need to edit file
      REM names/paths in one location in script
      REM ###################################################
      
      set AuditPolicyLog=%systemroot%\temp\auditpolicy.log
      set OSVersionSwap=%systemroot%\temp\osversionwap.txt
      set OsVersionTxt=%systemroot%\temp\osversion.txt
      set MachineDomainTxt=%systemroot%\temp\machinedomain.txt
      set MachineDomainSwap=%systemroot%\temp\machinedomainSwap.txt
      set ApplyAuditPolicyCMD=applyauditpolicy.cmd
      set AuditPolicyTxt=auditpolicy.txt
      
      REM ###################################################
      REM Clear Log & start fresh
      REM ###################################################
      
      if exist %AuditPolicyLog% del %AuditPolicyLog% /q /f
      date /t > %AuditPolicyLog% & time /t >> %AuditPolicyLog%
      echo.
      
      REM ###################################################
      REM Check OS Version
      REM ###################################################
      
      ver | findstr "[" > %OSVersionSwap%
      for /f "tokens=2 delims=[" %%i in (%OSVersionSwap%) do echo %%i > %OsVersionTxt%
      for /f "tokens=2 delims=] " %%i in (%OsVersionTxt%) do set osversion=%%i
      echo OS Version=%osversion% >> %AuditPolicyLog%
      
      REM ###################################################
      REM Skip Pre-Vista
      REM ###################################################
      
      if "%osversion%" LSS "6.0" exit /b 1
      
      REM ###################################################
      REM Get Domain Name
      REM ###################################################
      
      WMIC /namespace:\\root\cimv2 path Win32_ComputerSystem get domain /format:list > %MachineDomainSwap%
      find /i "Domain=" %MachineDomainSwap% > %MachineDomainTxt%
      for /f "Tokens=2 Delims==" %%i in (%MachineDomainTxt%) do set machinedomain=%%i
      echo Machine domain=%machinedomain% >> %AuditPolicyLog%
      
      REM ###################################################
      REM Copy Script & Policy to Local Directory or Terminate
      REM ###################################################
      
      xcopy \\%machinedomain%\netlogon\%ApplyAuditPolicyCMD% %systemroot%\temp\*.* /r /h /v /y
      if %ERRORLEVEL% NEQ 0 (
          echo Could not read \\%machinedomain%\netlogon\%ApplyAuditPolicyCMD% >> %AuditPolicyLog%
          exit /b 1
      ) else (
          echo Copied \\%machinedomain%\netlogon\%ApplyAuditPolicyCMD% to %systemroot%\temp >> %AuditPolicyLog%
      )
      
      xcopy \\%machinedomain%\netlogon\%AuditPolicyTxt% %systemroot%\temp\*.* /r /h /v /y
      if %ERRORLEVEL% NEQ 0 (
          echo Could not read \\%machinedomain%\netlogon\%AuditPolicyTxt% >> %AuditPolicyLog%
          exit /b 1
      ) else (
          echo Copied \\%machinedomain%\netlogon\%AuditPolicyTxt% to %systemroot%\temp >> %AuditPolicyLog%
      )
      
      REM ###################################################
      REM Create Named Scheduled Task to Apply Policy
      REM ###################################################
      
      %systemroot%\system32\schtasks.exe /create /ru System /tn audit /sc hourly /mo 1 /f /rl highest /tr "%systemroot%\temp\%ApplyAuditPolicyCMD%"
      if %ERRORLEVEL% NEQ 0 (
          echo Failed to create scheduled task for Audit >> %AuditPolicyLog%
          exit /b 1
      ) else (
          echo Created scheduled task for Audit >> %AuditPolicyLog%
      )
      
      REM ###################################################
      REM Start Named Scheduled Task to Apply Policy
      REM ###################################################
      
      %systemroot%\system32\schtasks.exe /run /tn audit
      if %ERRORLEVEL% NEQ 0 (
          Failed to execute scheduled task for Audit >> %AuditPolicyLog%
      ) else (
          echo Executed scheduled task for Audit >> %AuditPolicyLog%
      )

   3. On the File menu, click Save.
   4. In the Save as type box, click All Files, type AuditPolicy.cmd in the File name box, and then click Save.
2. Create the ApplyAuditPolicy.cmd script. To do this, follow these steps:
   1. Start Notepad, and then open a blank document.

   2. Paste the following code to the document in Notepad:

      @echo off
      
      REM ApplyAuditPolicy.cmd
      REM (c) 2006 Microsoft Corporation.  All rights reserved.
      REM Sample Audit Script to deploy Windows Vista
      REM Granular Audit Policy settings.
      
      
      REM ###################################################
      REM Declare Variables so that we only need to edit file
      REM names/paths in one location in script
      REM ###################################################
      
      set DeleteAudit=DeleteAudit.txt
      set AuditPolicyLog=%systemroot%\temp\AuditPolicy.log
      set ApplyAuditPolicyLog=%systemroot%\temp\ApplyAuditPolicy.log
      set OSVersionSwap=%systemroot%\temp\osversionwap.txt
      set OsVersionTxt=%systemroot%\temp\osversion.txt
      set MachineDomainTxt=%systemroot%\temp\machinedomain.txt
      set MachineDomainSwap=%systemroot%\temp\machinedomainSwap.txt
      set ApplyAuditPolicyCMD=ApplyAuditpolicy.cmd
      set AuditPolicyTxt=AuditPolicy.txt
      
      REM ###################################################
      REM Clear Log & start fresh
      REM ###################################################
      
      if exist %ApplyAuditPolicyLog% del %ApplyAuditPolicyLog% /q /f
      date /t > %ApplyAuditPolicyLog% & time /t >> %ApplyAuditPolicyLog%
      echo.
      
      REM ###################################################
      REM Check OS Version
      REM ###################################################
      
      ver | findstr "[" > %OSVersionSwap%
      for /f "tokens=2 delims=[" %%i in (%OSVersionSwap%) do echo %%i > %OsVersionTxt%
      for /f "tokens=2 delims=] " %%i in (%OsVersionTxt%) do set osversion=%%i
      echo OS Version=%osversion% >> %ApplyAuditPolicyLog%
      
      REM ###################################################
      REM Skip Pre-Vista
      REM ###################################################
      
      if "%osversion%" LSS "6.0" exit /b 1
      
      REM ###################################################
      REM Get Domain Name
      REM ###################################################
      
      WMIC /namespace:\\root\cimv2 path Win32_ComputerSystem get domain /format:list > %MachineDomainSwap%
      find /i "Domain=" %MachineDomainSwap% > %MachineDomainTxt%
      for /f "Tokens=2 Delims==" %%i in (%MachineDomainTxt%) do set machinedomain=%%i
      echo Machine domain=%machinedomain% >> %ApplyAuditPolicyLog%
      
      REM ###################################################
      REM Delete Audit Task
      REM Should only be used to remove the pseudo-policy from
      REM client machines (designed for future Vista revisions
      REM where this script will no longer be necessary, and this
      REM script needs to be backed out).
      
      REM to use, simply create a file in NETLOGON with a name
      REM that matches the contents of DeleteAudit variable (above)
      REM ###################################################
      
      if exist \\%machinedomain%\netlogon\%DeleteAudit% (
          %systemroot%\system32\schtasks.exe /delete /tn "Audit" /F
          DEL %AuditPolicyLog%
          DEL %ApplyAuditPolicyLog%
          DEL %OSVersionSwap%
          DEL %OsVersionTxt%
          DEL %MachineDomainTxt%
          DEL %MachineDomainSwap%
          DEL %systemroot%\temp\%ApplyAuditPolicyCMD%
          DEL %systemroot%\temp\%AuditPolicyTxt%
          exit /b 1
      ) 
      
      REM ###################################################
      REM Copy Audit Policy to Local Directory
      REM This is tolerant of failures since the copy is just
      REM a "cache refresh".
      REM ###################################################
      
      xcopy \\%machinedomain%\netlogon\%AuditPolicyTxt% %systemroot%\temp\*.* /r /h /v /y
      if %ERRORLEVEL% NEQ 0 (
          echo Could not read \\%machinedomain%\netlogon\%AuditPolicyTxt% so using previous cached copy>> %ApplyAuditPolicyLog%
      ) else (
          echo Copied \\%machinedomain%\netlogon\%AuditPolicyTxt% to %systemroot%\temp >> %ApplyAuditPolicyLog%
      )
      
      REM ###################################################
      REM Apply Policy
      REM ###################################################
      
      %systemroot%\system32\auditpol.exe /restore /file:%systemroot%\temp\%AuditPolicyTxt%
      if %ERRORLEVEL% NEQ 0 (
          Failed to apply audit settings >> %ApplyAuditPolicyLog%
      ) else (
          echo Successfully applied audit settings >> %ApplyAuditPolicyLog%
      )

   3. On the File menu, click Save.
   4. In the Save as type box, click All Files, type ApplyAuditPolicy.cmd in the File name box, and then click Save.
3. Copy the AuditPolicy.cmd script and the ApplyAuditPolicy.cmd script to the Netlogon share of the domain controller that holds the PDC emulator role in the domain.
4. Wait until Active Directory replication occurs. Also, wait until the files and folders in the system volume (SYSVOL) shared folder replicate on domain controllers in the domain.
5. Add the startup script to the Default Domain Policy. To do this, follow these steps:
   1. Start the Active Directory Users and Computers tool.
   2. Right-click DomainName, and then click Properties.
   3. Click the Group Policy tab, click Default Domain Policy, and then click Edit. The Group Policy Object Editor tool starts.
   4. Expand Computer Configuration, expand Windows Settings, and then click Scripts (Startup/Shutdown).
   5. Double-click Startup, and then click Add.
   6. In the Script Name box, type the universal naming convention (UNC) path of the AuditPolicy.cmd file that is located in the Netlogon share. Use the following format:

      \\FullyQualifiedDomainName\Netlogon\AuditPolicy.cmd

      For example, type \\contoso.com\netlogon\auditpolicy.cmd.
   7. Click OK two times.

Step 4: Verify that the security auditing settings are successfully applied

1. Wait until Active Directory replication occurs. Also, wait until the files and folders in the system volume (SYSVOL) shared folder replicate on domain controllers in the domain.
2. Restart a Windows Vista client computer that is joined to the domain. Then, log on to the computer as a user who has administrator credentials.
3. Click Start, point to All Programs, and then click Accessories.
4. Right-click Command Prompt, and then click Run as administrator.
5. In the User Account Control dialog box, click Continue.
6. Type the following line at the command prompt, and then press ENTER:

   auditpol /get /category:*

7. Verify that the security auditing settings that are displayed at the command prompt match the settings that are configured in the AuditPolicy.txt file that you created in "Step 1: Determine the security auditing settings that you want to deploy to Windows Vista client computers."
   
   If the security auditing settings do not match, examine the log files that are generated by the startup script in the %SystemRoot%\Temp folder. If no log files exist in the %SystemRoot%\Temp folder, examine the Windows Vista client computer to determine why Group Policy was not applied.