Auditing is enabled but no audit data appears in the Windows Event Viewer Security logs.
Auditing is configured in the Default Domain Controllers Policy, but no security audit data appears in the Windows Event Viewer security logs on Windows 2008 Domain Controllers.
In Windows Vista and above and in Windows Server 2008 and above there are two audit policies: The Basic Security Audit Policy settings in Security Settings\Local Policies\Audit Policy and the Advanced Security Audit Policy settings in Security Settings\Advanced Audit Policy Configuration\System Audit Policies.
The Basic Audit Policy is not compatible with Advanced Audit Policy settings that are applied by using Group Policy in Windows Server 2008 and above and and Windows 7. As soon as Advanced Audit Policy settings are applied by using Group Policy, the current computer's audit policy settings are cleared before the resulting Advanced Audit Policy settings are applied. After Advanced Audit Policy settings are applied by using Group Policy, you can only reliably set system audit policy for the computer by using the Advanced Audit Policy settings.
If all the Advanced Policy settings are subsequently cleared (“Not configured”, figure 3), Windows does not revert to the Basic Audit Policy settings, but continues to use the Advanced Audit policy “Not Configured” settings.
The command “auditpol /get /category:*” will show that auditing is not enabled for any of the categories, (figure 4).
Advanced Audit Policy stores all of its local security policy values in an audit.csv file located in “%systemroot%\SYSVOL\domain\Policies\[GPO UNIQUE NAME]\machine\Microsoft\Windows NT\Audit\” which is then copied to “%systemroot%\security\audit\”. Deleting these files will cause Windows to revert to using the basic audit policy.
To obtain the unique name of the GPO policy, right click on the policy name in GPMC and select “Properties” from the context menu, (figure 5).
In this example, the GPO is the Default Domain Controllers Policy, (figure 6). Notice the “Unique name” value.
Locate the GPO container for the policy in “%systemroot%\SYSVOL\Domain\Policies” and select the Unique name.
Delete the audit.csv file within “%systemroot%\SYSVOL\Domain\Policies\[Unique Name]\MACHINE\Microsoft\Windows NT\Audit”, (figure 8).
Delete the other audit.csv file from “%systemroot%\security\audit”, (figure 9).
Next, run “gpupdate /force” at the command prompt to force a policy update, (figure 10).
Now the utility “auditpol /get /category:*” will show that Windows is now using the setting from the Basic policy, (figure 11).