Security auditing settings are not applied to Windows Vista client computers when you deploy a domain-based policy (921468)


The information in this article applies to:

  • Windows Vista Ultimate
  • Windows Vista Business
  • Windows Vista Enterprise

Beta Information

This article discusses a Beta release of a Microsoft product. The information in this article is provided as-is and is subject to change without notice.

No formal product support is available from Microsoft for this Beta product. For information about how to obtain support for a Beta release, see the documentation that is included with the Beta product files, or check the Web location where you downloaded the release.
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SYMPTOMS

Consider the following scenario. You deploy a domain-based policy to configure security auditing settings on Microsoft Windows Vista client computers in an Active Directory directory service domain. You run the Resultant Set of Policy (RSoP) tool on one of the Windows Vista client computers. When you do this, the RSoP tool indicates that the policy is being applied. However, the policy is not actually applied to one or more Windows Vista client computers.

CAUSE

This issue occurs if the "Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" policy setting is enabled on the Windows Vista client computer. The policy setting can be enabled by using Group Policy or it can be enabled manually by modifying the registry.

RESOLUTION

To resolve this issue, use one of the following methods, as appropriate for your situation.

Method 1: Disable the policy setting by using Group Policy Object Editor

Verify that the policy setting was enabled by using Group Policy, and then disable the policy setting by using Group Policy Object Editor. To do this, follow these steps:
  1. Verify that the "Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" policy setting was enabled by using Group Policy. To do this, follow these steps:
    1. On the Windows Vista client computer, click Start, point to All Programs, click Accessories, click Run, type rsop.msc in the Open box, and then click OK.
    2. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
    3. Double-click Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
    4. Verify that the policy setting is set to Enabled, and then note the Group Policy object (GPO).
  2. Disable the "Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" policy setting in the GPO. To do this, follow these steps:
    1. In Group Policy Object Editor, open the GPO.
    2. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
    3. Double-click Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
    4. Click Disabled, and then click OK.
  3. Restart the Windows Vista client computer or computers.

Method 2: Disable the policy setting by using Registry Editor

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.To manually disable the policy setting by using Registry Editor, follow these steps:
  1. Log on to the Windows Vista client computer as a user who is a member of the Administrators group.
  2. Click Start, point to All Programs, click Accessories, click Run, type regedit in the Open box, and then click OK. If the User Account Control dialog box is displayed on the screen and prompts you to elevate your administrator token, click Continue.
  3. Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA

  4. Right-click SCENoApplyLegacyAuditPolicy, and then click Modify.
  5. Type 0 in the Value data box, and then click OK.
  6. Exit Registry Editor.
  7. Restart the Windows Vista client computer.
Note If the policy is a domain-based policy, and it is not a locally-based policy, you may have to wait for Active Directory replication and SYSVOL replication to complete before the policy settings take effect on Windows Vista client computers.

MORE INFORMATION

Windows Vista and later versions of Windows enable you to manage audit policies in a more precise manner by using audit policy subcategories. If you configure audit policies at the category level, you override audit policy subcategories.

If you want to manage audit policies by using audit policy subcategories, and you do not want to use Group Policy, you can configure the SCENoApplyLegacyAuditPolicy registry entry. When you configure the SCENoApplyLegacyAuditPolicy registry entry, you prevent category-level audit policies that were configured by using either Group Policy or the Local Security Policy tool from being applied.

However, be aware that the policy setting may not be enforced if a different policy is configured to override the category-level audit policy. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

921469 How to use Group Policy to configure detailed security auditing settings for Windows Vista client computers in a Windows Server 2003 or Windows 2000 domain

Modification Type:MinorLast Reviewed:7/17/2006
Keywords:kbRegistry kbExpertiseInter kbtshoot kbprb KB921468 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.