Forum

Ultimate Windows Security Forum » Security Log » 4719 - System audit policy was changed » Domain Controllers logging success/failure...

Domain Controllers logging success/failure... Expand / Collapse
Rate Topic
Display Mode
Topic Options
Author
Message
bobbychan
Posted 3/29/2017 10:03:37 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/27/2017 11:26:15 AM
Posts: 1, Visits: 2
When searching in our Splunk Logs with Event ID 4719, we have found that logs from different Domain Controllers have audit logs from different subcategory audit policies "removed" success/failure and immediately after, "added" success/failure for the same subcategory audit policy. What could be causing this? We are utilizing Server 2012 for our DCs.
Post #7352
derekthomas
Posted 4/11/2017 1:46:36 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 223, Visits: 0
I have seen this with conflicting GPO's. Default domain controllers GPO may set certain audit categories while another GPO may enable or disable those settings. Check for multiple GPO's trying to set audit settings.
Post #7357
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 9:04am