Share via

Can not see "Access Rights" in Advanced Audit Policy. Not Working

Hugo SANCHEZ 0 Reputation points
2025-06-25T12:05:10.2+00:00

Hi everyone,

Context

I'm switching from basic auditing to advanced audit policies.

I removed all basic audit policies from the various GPOs and created a single GPO to configure advanced audit policies on my domain (except for the Domain Controllers OU, which has the Default Domain Controllers Policy).

I noticed that some servers weren't applying the settings. Of course, I applied the following setting: "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings."

Some servers aren't applying the GPO configuration, due to a conflict with the "%systemroot%\system32\grouppolicy\machine\microsoft\windows nt\audit\audit.csv" file (even though no audit policies have been set locally).

So I created a script that would provide me with the following information for each server:

  • %systemroot%\system32\grouppolicy\machine\microsoft\windows nt\audit\audit.csv (if it exists)
  • %systemroot%\security\audit\audit.csv
  • An export of the actual configuration applied via the command "auditpol /backup /file:{FILESHARE}

I did all this to determine which servers correctly applied the configuration given by the GPO. No settings were left to default (no "not configured" settings) because sometimes the default configurations don't apply... All advanced audit settings were set to "Success", "Failure", "Success and Failure", or "No Auditing".

With all the exports obtained, I was able to obtain the configuration of all the servers and compare them with a reference file resulting from "auditpol /backup /file".

And that's where it all begins. My real question to identify the problems:

Why is it that on Windows Server 2022s, I can access the "Logon/Logoff - Access Rights" setting on one but not on the other?

Whether via auditpol /get /category:* or via secpol.msc to view local configurations, several servers don't have this setting while others do. Maybe a KB ? But i did not find information about it ?

In addition, the subcategory "Access Rigths" is the only settings without description (OS and minimum KB) on the Microsoft website : https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-audit

Has this ever happened to you? Do you have any suggestions for fixing it? Advanced audit policies seem to operate rather erratically...

Windows for business | Windows Server | Devices and deployment | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Chen Tran 1,645 Reputation points Independent Advisor
    2025-06-27T06:53:33.9466667+00:00

    Hello,

    Thank you for posting question on Microsoft Windows Forum.

    Based on your issue description of Advanced Audit Policies on Windows Server 2022 where the "Logon/Logoff - Access Rights" subcategory is present on some servers but not on others. The followings are some suggested points to address your queries.

    1.Check the OS Build Version:

    • The presence of certain audit subcategories can depend on the specific build of Windows. It is worth to compare the build numbers of the servers that have the "Access Rights" subcategory and those that don't.
    • "Access Rights" subcategory is build-dependent: This subcategory (0CCE922A-69AE-11D9-BED3-505054503030) was introduced in Windows 10 20H2/Windows Server 2022 Build 20348.502 (August 2022 CU) or later.
      • Servers missing this subcategory are likely running older builds.
      • Servers showing it have newer builds (post-August 2022 updates).
    • Verify OS builds: Run this Powershell command on affected servers: Get-ComputerInfo | Select-Object OsName, OsVersion, OsBuildNumber User's image

    2.Check for Missing Updates:

    • It is possible that the servers missing the subcategory require a specific update. We should check the update history and ensure that all servers are updated to the same level.

    3.Verify Group Policy Application:

    • Even though you have set the policy to force subcategory settings, we should ensure that the GPO is applying without errors. We can check the Resultant Set of Policy (RSOP) or the Group Policy event logs on the affected servers.

    4.Using auditpol to List Subcategories:

    • On a server where the subcategory is missing, try running the following command: auditpol /get /subcategory: /r*
    • This will list all subcategories and their settings. Look for the subcategory with the GUID that corresponds to "Access Rights". The GUID for "Access Rights" is 0CCE922A-69AE-11D9-BED3-505054503030. If this GUID is not present, then the OS build does not have it.

    5.Check the Audit CSV Files:

    • The presence of the audit.csv file in *%systemroot%\system32\grouppolicy\machine\microsoft\windows nt\audit* or *%systemroot%\security\audit* might be a remnant of old policies. You mentioned you have a script that collects these. Compare the content of these files from a working and non-working server.

    6.Microsoft Website:

    Hope the above information is helpful!

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.