|
|
Forum Newbie
      
Group: Forum Members
Last Login: 3/27/2017 11:26:15 AM
Posts: 1,
Visits: 2
|
|
When searching in our Splunk Logs with Event ID 4719, we have found that logs from different Domain Controllers have audit logs from different subcategory audit policies "removed" success/failure and immediately after, "added" success/failure for the same subcategory audit policy. What could be causing this? We are utilizing Server 2012 for our DCs.
|
|
|
|
Supreme Being
      
Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237,
Visits: 0
|
|
I have seen this with conflicting GPO's. Default domain controllers GPO may set certain audit categories while another GPO may enable or disable those settings. Check for multiple GPO's trying to set audit settings.
|
|
|
|