SecPol can’t detect the audit policy’s change that modified through auditpol command

Auditpol command and secpol UI display inconsistent auditing policy result. If you modify some audit policy through auditpol command, the secpol can’t detect this change. (Win2008 R2 SP1 RC still have this issue)

Repro Steps:
1.    in order to describe this issue more exactly, we use one of the audit policy(“logon/logoff”) as an example.
2.    First ,type “auditpol /clear” in your command prompt with administrative privilege to reset all the auditing setting to default value.
3.    Run “auditpol /get /category:*” to make sure the “logon/logoff” policy was not configured, and also run ”secpol.msc” to make sure the “logon/logoff” policy under advanced audit policy configuration was not configured.
4.    Run “auditpol /set /category:”logon/logoff” /success:enable” to modify this policy.
5.    Run “gpupdate /force”
Then we can see the inconsistent result between the auditpol command prompt and the secpol.msc UI.
Run “auditpol /get /category:*”  in command prompt, from the output we can see the “logon/logoff” policy was modified. But from the secpol.msc UI the “logon/logoff” policy was still not configured

it seems the secpol UI can’t detect the change made through auditpol command , so it make the inconsistent output between these two tools. Hope the fix will be published soon.

Comments (2)

  1. Anonymous says:

    This bug has been driving me around the bend. Now I don't know which to believe…

  2. Brett Hansen says:

    Agreed, what takes precedence?