-1

This question addresses my issue, however the solution isn't solving it on all my workstations. One of my workstations turned off auditing this morning magically on its own. Each time I run a gpupdate /force the audits show that the policy is applied, then 2 seconds later they are all removed.

  • Enabling the built-in admin account and setting a password fixed the problem on one workstation
  • The second workstation kills auditing immediately after it is applied
  • There are always 3 "lsass.exe" "Sensitive Privilege Use" audit failures (event ID 4674) between the audits being enabled and then shut off again.
  • gpresult /h run as an administrator shows that the GPO is being successfully applied when it is not.
  • winlogon.log throws several errors

Winlogon.log Errors:

Monday, October 06, 2014 1:14:53 PM

----Configuration engine was initialized successfully

----Reading Configuration Template Info...

----Configure User Rights

SeImpersonatePrivilege must be assigned to administrators. This setting is adjusted.

SeImpersonatePrivilege must be assigned to SERVICE. This setting is adjusted

Configure S-1-5-20

   remove SeImpersonatePrivilege

Error 50: The request is not supported.

Configuring some user rights for this account is not supported. Re-attempting configuration by ignoring unsupported operation errors.

    remove SeImpersonatePrivilege

This string of errors continues for a couple more SIDs. I am befuddled! Why would the solution on the other system solve the problem, but not solve it here.

Community
  • 1
Shrout1
  • 373

2 Answers2

1

Ok looks like I am self answering.

First, perform the steps listed in the referenced serverfault answer from my original question. Check to see if the built in administrator is disabled / does not have a password set.

Next check this post on the technet forums. Ironically, it also points back to the post I made at the end of last week.

The following files need to be moved / deleted, the system needs to rebooted and gpupdate /force needs to be run.

  • c:\Windows\security\audit\audit.csv
  • c:\Windows\System32\GroupPolicy\Machine\Microsoft\WindowsNT\Audit\audit.csv
  • c:\Windows\System32\GroupPolicy\gpt.ini

Remember, if advanced auditing needs to be DISABLED in the GPO first see my post on this and then make these changes.

Community
  • 1
Shrout1
  • 373
  • Just an FYI, this actually did solve my problem. So I hope that it proves to be useful to someone else. – Shrout1 Oct 14 '14 at 14:05
  • 1
    I had the same problem on my main pc for a long long time, every gp update would set all of audit policies to no audit, which was breaking wfc, which needs filtering platform failures to be logged, for me the key removal was "c:\Windows\System32\GroupPolicy\Machine\Microsoft\WindowsNT\Audit" the entire directory.

    On a clean windows install it doesnt exist. the first folder you mentioned already didnt exist and the 3rd one if wiped would wipe the entire set of group policies so is dangerous if one already has policies configured.

    Thank you, you solved a very long mystery for me.

     – Chris C Jun 25 '23 at 04:03
  • Glad I helped! It's been many moons since I fought with that network... – Shrout1 Jun 26 '23 at 20:55
0

You either have some very dangerous, conflicting GPOs targeting this machine, or the system is badly corrupted, and needs to be re-imaged. S-1-5-20 is the SID for Network Service, and you really shouldn't be editing its permissions. Specifically, removing its impersonate privilege will prevent vital system services from functioning and will make the system unstable, which is why Windows is trying to reset the permissions on that account (and presumably the other built-in accounts).

Whether you try to repair and troubleshoot the system or do a fresh install is up to you, but generally speaking, a fresh install or a re-image is preferable because it's faster and more effective at removing problems. You could spend weeks repairing the OS on that machine and still not find everything that's wrong - at a minimum, you're be left with the unanswerable question of whether you got everything or not. If you re-image or reinstall, you go back to a known, good state, and simplify your life enormously.

HopelessN00b
  • 53,954