2

I'm trying to enable Kerberos Authentication auditing in a GPO for the purpose of sending auth events to an AD-integrated web filter appliance, and the instructions have me enable auditing of the Kerberos Authentication services by going to:

Computer Configuration
> Policies
  > Windows Settings
    > Security Settings
      > Advanced Audit Policy Configuration
        > System Audit Policies - Local Group Policy Object
          > Account Logon
            > Audit Kerberos Authentication Service

But when I look at my GPO objects (for example, "Default Domain Controller Policy"), I don't even see the "Advanced Audit Policy Configuration" node under "Security Settings".

I've searched every way I know how to find out if this advanced node is an something that needs to be enabled somehow or if there's some other reason why it wouldn't be showing up, but I'm coming up empty. Everything I've found just talks about it like it should always be there...

This is in a Windows Server 2008 functional level domain/forest, if that matters.

Any help is greatly appreciated.

EDIT 1: Prompted by the answer below from TheCleaner, I realized that our DCs are all 2008, not R2 (the last remaining 2008s in our organization), and this is a feature new to 2008 R2.

I tried installing GPMC on a 2008 R2 member server and setting the policy there, but it doesn't look like it's being applied to the 2008 DCs, even after a gpupdate /force (I will try rebooting tonight to see if that helps).

Is this audit policy setting ("Audit Kerberos Authentication Service" > "Success" enabled) available elsewhere in 2008, or was it a new policy settings added in 2008 R2?

EDIT 2: This TechNet article seems to indicate that the policy setting is only available on Windows 6.1 (Win7/2008R2), but that the audit events should appear on anything 6.0 (Vista/2008) and up...

Should I be more patient waiting for the GPO to be applied, or just wait until the reboot?

EDIT 3: Okay, 4 out of my 5 DCs (all running 2008) are now respecting the "Audit Kerberos Authentication Service" audit policy and are generating the security log events that I need for this to work. I was given clearance to reboot the one DC that still isn't showing the Kerberos audit events, and it's still not showing them.

Ordinarily I would do an RSoP or gpresult to see which settings are being/not being applied to this DC and why, but in this case, both omit the "Advanced Audit Policy Configuration" settings, even when run remotely on the R2 server I used to configure them...

Any suggestions for troubleshooting 2008-applicable GPO settings that don't show up in the 2008 GPMC?

Jon Heese
  • 147
  • 1
  • 2
  • 13

2 Answers2

3

On a 2008 R2 DC, in GPMC, it should be there by default (make sure you are using the GPMC within a 2008 R2 DC). Are you actually looking down far enough? It's at the bottom of the list.

GPMC

You can try right clicking "Security Settings" and choose reload if you don't see it, but by default it is in 2008 R2.

enter image description here

TheCleaner
  • 32,352
  • 26
  • 126
  • 188
  • Shoot... Our DCs are 2008, not R2. Can I connect to GPMC from a 2008R2 member server to see it? (And yes, that second screen shot is exactly what was in the instructions I'm following.) – Jon Heese May 09 '13 at 16:14
  • heh...your question and tags state R2. – TheCleaner May 09 '13 at 16:15
  • Yeah, I mistyped the title. I didn't add the tag, I assume an admin added it based on the title. I fixed both just now. So should I expect this to work from an R2 member server then? – Jon Heese May 09 '13 at 16:17
  • @JonHeese - an R2 member with GPMC or a Win7 client should be able to see this setting yes...I don't know though if the DCs will require the security template in order to apply the policy correctly. This might help too: http://blogs.technet.com/b/grouppolicy/archive/2009/12/23/how-to-install-rsat.aspx read the note in the middle – TheCleaner May 09 '13 at 16:19
  • I edited my question to reflect my new state on this one. Thanks. – Jon Heese May 09 '13 at 16:46
  • Welcome...just saw your updates...glad it is applying correctly. You may not be able to do a "settings" check for this GPO inside the 2008 DCs, so if you need to see what this GPO really does it might require always checking in the R2 box. – TheCleaner May 09 '13 at 17:29
0

Not related to the issue, but probably worth mentioning:

Important
Whether you apply advanced audit policy by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under Local Policies\Audit Policy and the advanced settings under Security Settings\Advanced Audit Policy Configuration.

Using both advanced and basic audit policy settings can cause unexpected results.

If you use Advanced Audit Policy Configuration settings or use logon scripts (for computers running Windows Vista or Windows Server 2008) to apply advanced audit policy, be sure to enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.

Advanced Security Auditing FAQ
http://technet.microsoft.com/en-us/library/ff182311%28v=ws.10%29.aspx#BKMK_3

Greg Askew
  • 34,339
  • 3
  • 52
  • 81