How to use Group Policy to audit registry keys in Windows Server 2003 (324739)
The information in this article applies to:
- Microsoft Windows Server 2003, Datacenter Edition
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Standard Edition
- Microsoft Windows Server 2003, 64-Bit Datacenter Edition
- Microsoft Windows Server 2003, 64-Bit Enterprise Edition
- Microsoft Windows Small Business Server 2003, Standard Edition
- Microsoft Windows Small Business Server 2003, Premium Edition
This article was previously published under Q324739 IMPORTANT: This article contains information about modifying the registry.
Before you modify the registry, make sure to back it up and make sure that you
understand how to restore the registry if a problem occurs. For information
about how to back up, restore, and edit the registry, click the following
article number to view the article in the Microsoft Knowledge Base: 256986 Description of the Microsoft Windows Registry
For a Microsoft Windows 2000 version of this article,
see
315416. IN THIS TASK SUMMARY This article describes how to use Group Policy to configure
auditing of Windows registry keys.
back to the top
Create a Group Policy Object To create a Group Policy object (GPO) that you can use to turn on
auditing in a domain, follow these steps:
- Click Start, point to Administrative Tools, and then click Active Directory Users and
Computers.
- Right-click your domain, and then click Properties.
- Click the Group Policy tab, and then click New.
- Type the name that you want to use for this policy (for
example, Enable auditing policy), and then press
ENTER.
- Click Properties, and then click the Security tab.
- Click to clear the Allow check box next to Apply Group Policy for the security groups that you want to prevent from having this
policy applied.
- Click to select the Allow check box next to Apply Group Policy for the groups to which you want to apply this policy, and then
click OK.
- Click OK, click OK again, and then quit Active Directory Users and
Computers.
back to the top
Turn On Auditing in Group Policy If auditing is not already turned on, you must turn it on. In a
domain, turn on auditing in a GPO that is linked to the domain. On either a
server or a workstation that is not a member of the domain, turn on auditing in
a local GPO.
back to the top
Turn On Auditing on a Domain Controller- Click Start, point to Administrative Tools, and then click Active Directory Users and
Computers.
- Right-click your domain, and then click Properties.
- Click the Group Policy tab, click the Group Policy object that you want to use, and then
click Edit.
- Under Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy.
- In the right pane, double-click Audit object
access.
- Click to select the Define these policy
settings check box, click to select the Success check box, click to select the Failure check box, and then click OK.
NOTE: The Audit object access policy setting is enough to turn on
auditing for the Windows registry. - Quit the Group Policy Object Editor snap-in, and then click
Close.
back to the top
Turn On Auditing on a Computer That Is Not a Member of a Domain- Click Start, and then click Run.
- In the Open box, type gpedit.msc, and then click OK.
- Under Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy.
- In the right pane, double-click Audit object
access.
- Click to select the Success check box, click to select the Failure check box, and then click OK.
NOTE: The Audit object access policy is enough to turn on auditing for
the Windows registry. - Quit the Group Policy Object Editor snap-in.
back to the top
Audit a Registry KeyWARNING: If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using Registry
Editor incorrectly. Use Registry Editor at your own risk. - Click Start, and then click Run.
- In the Open box, type regedit, and then click OK.
- Locate and click the registry key that you want to audit,
for example:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - On the Edit menu, click Permissions.
- Click Advanced, click the Auditing tab, and then click Add.
- Type the user account or group whose access to this
registry key you want to audit, click Check Names to verify the name, and then click OK.
- In the Apply onto box, click the option
that you want.
- Click to select the Successful and Failed check boxes next to the following access types:
Set Value Create Subkey - Click OK, and then click OK.
You may receive the following message:
The
current Audit Policy for this computer does not have auditing turned on. If
this computer receives audit policy from the domain, please ask a domain
administrator to turn on auditing using Group Policy Editor. Otherwise, use the
Local Computer Policy Editor to configure the audit policy locally on this
computer.
If auditing is not turned on, you must turn it on by
following the steps in the Turn On Auditing in
Group Policy section of this article. - Click OK
- Quit Registry Editor.
Audit events are displayed in the Security log of Event Viewer.
back to the top
Use a Security Template to Audit Registry Keys You can also use a security template to audit registry keys. To
configure the audit policy, either create a custom security template or modify
an existing template, and then use Group Policy to apply this template to
multiple computers in a domain or an organizational unit (OU).
back to the top
Create a Security Template To create a new security template or to modify an existing
template, follow these steps:
- Click Start, and then click Run.
- In the Open box, type mmc, and then click OK.
- On the File menu, click Add/Remove Snap-in.
- Click Add, click Security Templates, click Add, click Close, and then click OK.
- In the console tree, expand Security Templates, and then expand drive:\WINDOWS\Security\Templates, where drive is the drive on which
Windows is installed.
- Do one of the following:
- If you want to modify an existing template, expand the
template that you want to use, for example, hisecws (high-security workstation template).
- If you want to create a new security template, follow
these steps:
- Right-click drive:\WINDOWS\Security\Templates, and then click New Template.
- Type a name for the template in the
Template name box, and then click OK.
- Expand the new template that you
created.
- Right-click Registry, and then click Add Key.
- In the Registry list, click the registry key that you want to use, and then click
OK. For example:
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Click Advanced, click the Auditing tab, and then click Add.
- Type the user account or group whose access to this
registry key you want to audit, click Check Names to verify the name, and then click OK.
- In the Apply onto box, click the option
that you want.
- Click to select the Successful and Failed check boxes next to the type of access that you want to audit for
either the selected user or the selected security group, and then click OK.
For example, click to select the Successful and Failed check boxes next to Set Value. - Click OK.
If you receive the following message, click OK:
The current Audit Policy for this computer does not
have auditing turned on. If this computer receives audit policy from the
domain, please ask a domain administrator to turn on auditing using Group
Policy Editor. Otherwise, use the Local Computer Policy Editor to configure the
audit policy locally on this computer. - Click OK, and then click OK.
- Expand Local Policies, and then click Audit Policy.
- In the right pane, double-click Audit object
access
- Click to select Define these policy
settings in the template check box, click to select the Success check box, click to select the Failure check box, and then click OK.
NOTE: The Audit object access policy setting is enough to turn on
auditing for the Windows registry. - Quit the Security Templates snap-in.
- If a Save Security Templates dialog box is displayed, click Yes to save the custom security template that you created.
back to the top
Apply the Security Template Use Group Policy to apply the security template that contains the
audit policy that you configured. To do so, follow these steps:
- Click Start, point to Administrative Tools, and then click Active Directory Users and
Computers.
- Do one of the following:
- If you want to apply the security template to the whole
domain, right-click the domain, and then click Properties.
-or- - If you want to apply the security templates to an
organizational unit, expand the domain, right-click the organizational unit,
and then click Properties.
- Create a GPO to use to apply the security template. To do
so:
- Click the Group Policy tab.
- Click New.
- Type a name for the GPO in the New Group Policy
Object box (for example, Apply Audit Policy Security
Template), and then press ENTER.
- Click Edit.
- Under Computer Configuration, expand Windows Settings, right-click Security Settings, and then click Import Policy.
- Click the security template that you created, click to
select the Clear this database before importing check box, and
then click Open.
NOTE: When the Clear this database before importing
check box is selected, all of the security settings in the GPO are replaced
with those of the security template that you import. - Quit the Group Policy Object Editor snap-in, and then click
Close.
- Quit Active Directory Users and Computers.
back to the top
Troubleshooting After you configure auditing, the service may not work. This
behavior can occur for any of the following reasons:
- A site, a domain, or an organizational unit policy setting
overrides the audit policy that you configured. To troubleshoot this issue,
follow these steps:
- Click Start, and then click Run.
- In the Open box, type gpedit.msc, and then click OK.
- Under Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy.
- In the right pane, view the item in the Security Setting column of the policy that you want to use.
If the
security setting of the policy is No auditing, a higher-level
GPO may be overriding the audit policy setting that you configured. To confirm
this behavior, view the higher-level GPO items that are linked to either the
organizational unit or to the domain for possible conflicts. - Click to select the Audit these attempts check box, click to select the Success check box, click to select the Failure check box, and then click OK.
NOTE: The Audit object access policy setting is enough to turn on
auditing for the Windows registry. - Quit the Group Policy Object Editor snap-in.
- A GPO that overrides the audit policy setting has a higher
priority. To troubleshoot this issue, follow these steps:
- Click Start, point to Administrative Tools, and then click Active Directory Users and
Computers.
- In the console tree, right-click your domain, and then
click Properties.
- Click the Group Policy tab. View the Group Policy Objects Links list.
Items that are higher in the list override other lower-level
items. - If the GPO that contains your audit policy setting is
listed below a higher-priority GPO item that turns off auditing, do one of the
following steps:
- Click the GPO that contains the audit policy
setting that you want to use, and then click Up to move it above the higher-priority item in the list.
WARNING: Make sure that other settings in your GPO do not conflict with
the settings in the GPO items that are listed below it.
-or- - Edit the GPO items that are listed above the GPO
that contains the audit policy setting to remove conflicting policy
settings.
NOTE: You may want to combine the audit settings from one GPO with
those of a higher-level GPO to resolve the audit policy conflict and to reduce
the number of GPO items.
- When you are finished, click OK, and then click Exit on the File menu.
- The site, the domain, or the organizational unit policy
setting that contains the audit policy setting has not replicated to other
computers. To resolve this issue, use the Secedit.exe command-line utility to
force Group Policy to be refreshed.
back to the top
REFERENCES
For more information about using Group Policy, click the following article numbers to view the articles in the Microsoft Knowledge Base:
214752
How to add custom registry settings to Security Configuration Editor
back to the top
Modification Type: | Major | Last Reviewed: | 5/30/2006 |
---|
Keywords: | kbMgmtServices kbhowto kbHOWTOmaster KB324739 kbAudITPro |
---|
|