Event viewer security log not updating
:-) So I found the below explicitly stated in addition to the info provided earlier - 'as soon as you start applying Advanced Audit Configuration Policy, legacy policies will be completely ignored.' From: https://blogs.technet.microsoft.com/askds/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2/ If you use advanced audit, don't bother configuring the local policy\audit policy setting as it will be ignored once you set the policy for enabling advanced audit which is: “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings” Thanks for setting me in the right direction. 1 of our 7 Domain Controllers is not logging any security events, except for the single entries when we clear the logs or restart the Window Event Log service.The Group Policy settings for Default Domain Controllers are as per the attachment yet the security event log shows only a handful of events despite there being numerous issues with one user account being locked out - I have twice gone through the steps: disabling the event log service, rebooting, renaming the security event log file, re-enabling the service and re-booting which generates a new security event viewer log file but no entries appear after the initial logs. It sounds like everything is doing what it is set to do, but it is set incorrectly maybe for what you want?
This certainly sounds as if the account that your windows service is running under doesn't have enough rights to write to the event log in question. The event viewer was working well, and then, the Diagnostics- Performance stopped logging. Vista website was not helpful in troubleshooting, only recommended to enable it.I think it can be started using REGEDIT but I don't know which key to enable. The other 6 DC's are logging security events without issue.Here are the audit settings: Audit account logon events Success, Failure Audit account management Success, Failure Audit directory service access Success, Failure Audit logon events Success, Failure Audit object access Success, Failure Audit policy change Success, Failure Audit privilege use Success, Failure Audit process tracking Success Audit system events Success, Failure Please advise on possible actions to take or what to look for. Affected DC: Account Management Computer Account Management No Auditing Security Group Management No Auditing Distribution Group Management No Auditing Application Group Management No Auditing Other Account Management Events No Auditing User Account Management No Auditing All other DC's: Account Management Computer Account Management Success and Failure Security Group Management Success and Failure Distribution Group Management Success and Failure Application Group Management Success and Failure Other Account Management Events Success and Failure User Account Management Success and Failure Out of the 7 DC's, 2 have the Custom SD set and they and the others without this set are logging fine. Sounding like your GPO is not applying the settings.
Search for event viewer security log not updating:
shows that the settings are all set to No Auditing. repadmin /replsum repadmin /showrepl repadmin /bridgeheads Also has this DC been rebooted? The security of this directory server can be significantly enhanced by configuring the server to reject such binds.