Security Audit Policy Question

%3CLINGO-SUB%20id%3D%22lingo-sub-1956600%22%20slang%3D%22en-US%22%3ESecurity%20Audit%20Policy%20Question%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1956600%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EI%20am%20fairly%20new%20to%20the%20Windows%20Admin%20role%20and%20I%20am%20working%20on%20tuning%20our%20servers%20audit%20policies%20due%20to%20high%20volume%20of%20security%20event%20logging.%20When%20I%20look%20at%20the%20audit%20policy%20via%20our%20GPO%2C%20it%20does%20not%20have%20Removable%20Storage%20turned%20on.%20When%20I%20go%20to%20Local%20Security%20Policy%2C%20it%20is%20also%20not%20on%20in%20there.%20When%20I%20run%20auditpol%20it%20shows%20it%20as%20both%20success%20and%20failure.%20Also%20if%20I%20update%20any%20of%20the%20audit%20policies%20using%20auditpol%2C%20it%20gets%20wiped%20after%20a%20reboot.%20Can%20anyone%20please%20explain%20to%20me%20how%20the%20Removable%20Storage%20is%20persistent%20across%20a%20reboot%20if%20it%20isn't%20in%20the%20GPO%3F%20The%20OS%20is%20Windows%20Server%202016.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1956600%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EManagement%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

Hello,

I am fairly new to the Windows Admin role and I am working on tuning our servers audit policies due to high volume of security event logging. When I look at the audit policy via our GPO, it does not have Removable Storage turned on. When I go to Local Security Policy, it is also not on in there. When I run auditpol it shows it as both success and failure. Also if I update any of the audit policies using auditpol, it gets wiped after a reboot. Can anyone please explain to me how the Removable Storage is persistent across a reboot if it isn't in the GPO? The OS is Windows Server 2016.

0 Replies