Have checked the server logs and am seeing audit succes/audit failure messages in the logs. The server is showing with the error:
"Logon Auditing is disabled, some functionality will be unavailable for this DC. Please turn on Auditing of invalid logons in audit policy settings for this DC.
Any thoughts on fixing this issue? Planning to replace our Server 2008 R2 DC's with this and another Server 2016 R2 DC's in the next few weeks and would like to be able to continue to use ALE to troubleshoot lockout issues, if possible.
See below please. Looks like everything that should be enabled is...
System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity No Auditing
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change Success
Logon/Logoff
Logon Success and Failure
Logoff Success and Failure
Account Lockout Success and Failure
IPsec Main Mode Failure
IPsec Quick Mode Failure
IPsec Extended Mode Failure
Special Logon Failure
Other Logon/Logoff Events Success and Failure
Network Policy Server Success and Failure
User / Device Claims Failure
Group Membership No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events Success
Detailed File Share No Auditing
Removable Storage No Auditing
Central Policy Staging No Auditing
Privilege Use
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Sensitive Privilege Use No Auditing
Detailed Tracking
Process Creation Success
Process Termination Success
DPAPI Activity No Auditing
RPC Events No Auditing
Plug and Play Events No Auditing
Token Right Adjusted Events No Auditing
Policy Change
Audit Policy Change Success and Failure
Authentication Policy Change Success
Authorization Policy Change Success
MPSSVC Rule-Level Policy Change Success
Filtering Platform Policy Change Success
Other Policy Change Events Success
Account Management
Computer Account Management Success
Security Group Management Success
Distribution Group Management Success
Application Group Management Success
Other Account Management Events Success
User Account Management Success and Failure
DS Access
Directory Service Access Success
Directory Service Changes Success
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Account Logon
Kerberos Service Ticket Operations Success and Failure
Other Account Logon Events Failure
Kerberos Authentication Service Success and Failure
Credential Validation Failure
...and it's not displaying this error on the Server 2008R2 servers that the 2016R2 servers are going to replace.
1-949-407-5125
