'Unable to get the advanced auditing settings remotely' when running script locally

Question

'Unable to get the advanced auditing settings remotely' when running script locally

Owl-Tec opened this issue 9 months ago · comments

Owl-Tec commented 9 months ago

Description

Running the "Test-MdiReadiness.ps1" on a local DC creates the following error message:

"Unable to get the advanced auditing settings remotely."

Reproduction steps

Log onto DC locally then launch PowerShell and run "Test-MdiReadiness.ps1."

Logs (from .JSON output)

{ "DomainSchemaVersion": { "schemaVersion": 88, "details": "Windows Server 2019 / 2022" }, "DomainAdfsAuditing": { "details": "Microsoft ADFS Program Data container not found", "isAdfsAuditingOk": true }, "Domain": “XXX”, "DomainControllers": { "OS": "Windows Server 2016 Standard", "CapturingComponent": "Npcap (1.70), WinPcap 4.1.3 (4.1.0.2980)", "IP": “xx”x, "NtlmAuditing": true, "PowerSettings": false, "ServerRequirements": true, "RootCertificates": true, "FQDN": “XXX, "OSVersion": true, "Details": { "ServerRequirementsDetails": { "NumberOfLogicalProcessors": 2, "TotalPhysicalMemory": 8588820480, "OsDiskDeviceID": "C:", "OsDiskFreeSpace": 65774243840 }, "PowerSettingsDetails": null, "AdvancedAuditingDetails": "Unable to get the advanced auditing settings remotely", "NtlmAuditingDetails": [ { "regKey": "System\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\AuditReceivingNTLMTraffic", "value": 2 }, { "regKey": "System\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\RestrictSendingNTLMTraffic", "value": 1 }, { "regKey": "System\\CurrentControlSet\\Services\\Netlogon\\Parameters\\AuditNTLMInDomain", "value": 7 } ], "RootCertificatesDetails": [ { "Thumbprint": "DF3C24F9BFD666761B268073FE06D1CC8D4F82A4", "Subject": "CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US", "Issuer": "CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US", "NotBefore": "\/Date(1375358400000)\/", "NotAfter": "\/Date(2147169600000)\/" }, { "Thumbprint": "D4DE20D05E66FC53FE1A50882C78DB2852CAE474", "Subject": "CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE", "Issuer": "CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE", "NotBefore": "\/Date(958157160000)\/", "NotAfter": "\/Date(1747094340000)\/" }, { "Thumbprint": "A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436", "Subject": "CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US", "Issuer": "CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US", "NotBefore": "\/Date(1163116800000)\/", "NotAfter": "\/Date(1952035200000)\/" } ], "OSVersionDetails": { "Caption": "Microsoft Windows Server 2016 Standard", "Version": "10.0.14393" } }, "MachineType": "Hyper-V", "SensorVersion": "2.215.17148.48037", "AdvancedAuditing": false }, "DomainExchangeAuditing": { "details": [ { "ObjectAceFlags": 1, "ObjectAceType": "45ec5156-db7e-47bb-b53f-dbeb2d03c40f", "InheritedObjectAceType": "00000000-0000-0000-0000-000000000000", "BinaryLength": 40, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 256, "SecurityIdentifier": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-1-0" }, "AceType": 7, "AceFlags": 64, "IsInherited": false, "InheritanceFlags": 0, "PropagationFlags": 0, "AuditFlags": 1, "AccessMaskDetails": "ExtendedRight", "AuditFlagsValue": 1, "AceFlagsValue": 64 }, { "BinaryLength": 36, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 256, "SecurityIdentifier": { "BinaryLength": 28, "AccountDomainSid": { "BinaryLength": 24, "AccountDomainSid": "S-1-5-21-1929213017-1124552077-618671499", "Value": "S-1-5-21-1929213017-1124552077-618671499" }, "Value": "S-1-5-21-1929213017-1124552077-618671499-513" }, "AceType": 2, "AceFlags": 64, "IsInherited": false, "InheritanceFlags": 0, "PropagationFlags": 0, "AuditFlags": 1, "AccessMaskDetails": "ExtendedRight", "AuditFlagsValue": 1, "AceFlagsValue": 64 }, { "BinaryLength": 24, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 256, "SecurityIdentifier": { "BinaryLength": 16, "AccountDomainSid": null, "Value": "S-1-5-32-544" }, "AceType": 2, "AceFlags": 64, "IsInherited": false, "InheritanceFlags": 0, "PropagationFlags": 0, "AuditFlags": 1, "AccessMaskDetails": "ExtendedRight", "AuditFlagsValue": 1, "AceFlagsValue": 64 }, { "BinaryLength": 20, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 786464, "SecurityIdentifier": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-1-0" }, "AceType": 2, "AceFlags": 64, "IsInherited": false, "InheritanceFlags": 0, "PropagationFlags": 0, "AuditFlags": 1, "AccessMaskDetails": "WriteProperty, WriteDacl, WriteOwner", "AuditFlagsValue": 1, "AceFlagsValue": 64 } ], "isExchangeAuditingOk": false }, "CAServers": { "OS": "Windows Server 2016 Standard", "CapturingComponent": "", "IP": “xx”x, "PowerSettings": false, "ServerRequirements": true, "RootCertificates": true, "FQDN": “XX”X, "CAAuditing": true, "OSVersion": true, "Details": { "ServerRequirementsDetails": { "NumberOfLogicalProcessors": 2, "TotalPhysicalMemory": 8588869632, "OsDiskDeviceID": "C:", "OsDiskFreeSpace": 13454467072 }, "PowerSettingsDetails": null, "AdvancedAuditingCADetails": "Unable to get the advanced auditing settings remotely", "CAAuditingDetails": { "regKey": "System\\CurrentControlSet\\Services\\CertSvc\\Configuration\\XXX\\AuditFilter", "value": 127 }, "RootCertificatesDetails": [ { "Thumbprint": "DF3C24F9BFD666761B268073FE06D1CC8D4F82A4", "Subject": "CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US", "Issuer": "CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US", "NotBefore": "\/Date(1375358400000)\/", "NotAfter": "\/Date(2147169600000)\/" }, { "Thumbprint": "D4DE20D05E66FC53FE1A50882C78DB2852CAE474", "Subject": "CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE", "Issuer": "CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE", "NotBefore": "\/Date(958157160000)\/", "NotAfter": "\/Date(1747094340000)\/" }, { "Thumbprint": "A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436", "Subject": "CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US", "Issuer": "CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US", "NotBefore": "\/Date(1163116800000)\/", "NotAfter": "\/Date(1952035200000)\/" } ], "OSVersionDetails": { "Caption": "Microsoft Windows Server 2016 Standard", "Version": "10.0.14393" } }, "MachineType": "Hyper-V", "SensorVersion": "N/A", "AdvancedAuditingCA": false }, "DomainObjectAuditing": { "isObjectAuditingOk": true, "details": [ { "ObjectAceFlags": 3, "ObjectAceType": "f30e3bbe-9ff0-11d1-b603-0000f80367c1", "InheritedObjectAceType": "bf967aa5-0de6-11d0-a285-00aa003049e2", "BinaryLength": 56, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 32, "SecurityIdentifier": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-1-0" }, "AceType": 7, "AceFlags": 66, "IsInherited": false, "InheritanceFlags": 1, "PropagationFlags": 0, "AuditFlags": 1, "AccessMaskDetails": "WriteProperty", "AuditFlagsValue": 1, "AceFlagsValue": 66 }, { "ObjectAceFlags": 3, "ObjectAceType": "f30e3bbf-9ff0-11d1-b603-0000f80367c1", "InheritedObjectAceType": "bf967aa5-0de6-11d0-a285-00aa003049e2", "BinaryLength": 56, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 32, "SecurityIdentifier": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-1-0" }, "AceType": 7, "AceFlags": 66, "IsInherited": false, "InheritanceFlags": 1, "PropagationFlags": 0, "AuditFlags": 1, "AccessMaskDetails": "WriteProperty", "AuditFlagsValue": 1, "AceFlagsValue": 66 }, { "ObjectAceFlags": 2, "ObjectAceType": "00000000-0000-0000-0000-000000000000", "InheritedObjectAceType": "ce206244-5827-4a86-ba1c-1c0c386c1b64", "BinaryLength": 40, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 852331, "SecurityIdentifier": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-1-0" }, "AceType": 7, "AceFlags": 74, "IsInherited": false, "InheritanceFlags": 1, "PropagationFlags": 2, "AuditFlags": 1, "AccessMaskDetails": "CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, ExtendedRight, Delete, WriteDacl, WriteOwner", "AuditFlagsValue": 1, "AceFlagsValue": 74 }, { "ObjectAceFlags": 2, "ObjectAceType": "00000000-0000-0000-0000-000000000000", "InheritedObjectAceType": "bf967a86-0de6-11d0-a285-00aa003049e2", "BinaryLength": 40, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 852331, "SecurityIdentifier": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-1-0" }, "AceType": 7, "AceFlags": 74, "IsInherited": false, "InheritanceFlags": 1, "PropagationFlags": 2, "AuditFlags": 1, "AccessMaskDetails": "CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, ExtendedRight, Delete, WriteDacl, WriteOwner", "AuditFlagsValue": 1, "AceFlagsValue": 74 }, { "ObjectAceFlags": 2, "ObjectAceType": "00000000-0000-0000-0000-000000000000", "InheritedObjectAceType": "7b8b558a-93a5-4af7-adca-c017e67f1057", "BinaryLength": 40, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 852331, "SecurityIdentifier": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-1-0" }, "AceType": 7, "AceFlags": 74, "IsInherited": false, "InheritanceFlags": 1, "PropagationFlags": 2, "AuditFlags": 1, "AccessMaskDetails": "CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, ExtendedRight, Delete, WriteDacl, WriteOwner", "AuditFlagsValue": 1, "AceFlagsValue": 74 }, { "ObjectAceFlags": 2, "ObjectAceType": "00000000-0000-0000-0000-000000000000", "InheritedObjectAceType": "bf967a9c-0de6-11d0-a285-00aa003049e2", "BinaryLength": 40, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 852331, "SecurityIdentifier": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-1-0" }, "AceType": 7, "AceFlags": 74, "IsInherited": false, "InheritanceFlags": 1, "PropagationFlags": 2, "AuditFlags": 1, "AccessMaskDetails": "CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, ExtendedRight, Delete, WriteDacl, WriteOwner", "AuditFlagsValue": 1, "AceFlagsValue": 74 }, { "ObjectAceFlags": 2, "ObjectAceType": "00000000-0000-0000-0000-000000000000", "InheritedObjectAceType": "bf967aba-0de6-11d0-a285-00aa003049e2", "BinaryLength": 40, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 852331, "SecurityIdentifier": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-1-0" }, "AceType": 7, "AceFlags": 74, "IsInherited": false, "InheritanceFlags": 1, "PropagationFlags": 2, "AuditFlags": 1, "AccessMaskDetails": "CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, ExtendedRight, Delete, WriteDacl, WriteOwner", "AuditFlagsValue": 1, "AceFlagsValue": 74 }, { "BinaryLength": 36, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 256, "SecurityIdentifier": { "BinaryLength": 28, "AccountDomainSid": { "BinaryLength": 24, "AccountDomainSid": "S-1-5-21-1929213017-1124552077-618671499", "Value": "S-1-5-21-1929213017-1124552077-618671499" }, "Value": "S-1-5-21-1929213017-1124552077-618671499-513" }, "AceType": 2, "AceFlags": 64, "IsInherited": false, "InheritanceFlags": 0, "PropagationFlags": 0, "AuditFlags": 1, "AccessMaskDetails": "ExtendedRight", "AuditFlagsValue": 1, "AceFlagsValue": 64 }, { "BinaryLength": 24, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 256, "SecurityIdentifier": { "BinaryLength": 16, "AccountDomainSid": null, "Value": "S-1-5-32-544" }, "AceType": 2, "AceFlags": 64, "IsInherited": false, "InheritanceFlags": 0, "PropagationFlags": 0, "AuditFlags": 1, "AccessMaskDetails": "ExtendedRight", "AuditFlagsValue": 1, "AceFlagsValue": 64 }, { "BinaryLength": 20, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 786464, "SecurityIdentifier": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-1-0" }, "AceType": 2, "AceFlags": 64, "IsInherited": false, "InheritanceFlags": 0, "PropagationFlags": 0, "AuditFlags": 1, "AccessMaskDetails": "WriteProperty, WriteDacl, WriteOwner", "AuditFlagsValue": 1, "AceFlagsValue": 64 }, { "BinaryLength": 20, "AceQualifier": 2, "IsCallback": false, "OpaqueLength": 0, "AccessMask": 32, "SecurityIdentifier": { "BinaryLength": 12, "AccountDomainSid": null, "Value": "S-1-1-0" }, "AceType": 2, "AceFlags": 194, "IsInherited": false, "InheritanceFlags": 1, "PropagationFlags": 0, "AuditFlags": 3, "AccessMaskDetails": "WriteProperty", "AuditFlagsValue": 3, "AceFlagsValue": 194 } ] } }

Some Additional Context:

https://learn.microsoft.com/en-us/answers/questions/1377287/defender-for-identity-directory-services-advanced?comment=question#newest-question-comment

Owl-Tec · Answer 1 · Thu Sep 28 2023 23:10:44 GMT+0800 (China Standard Time)

Just confirmed that the audit policies are indeed on.

The script has a list of required policies to be enabled:
Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Setting Value System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},Success and Failure,3 System,Distribution Group Management,{0CCE9238-69AE-11D9-BED3-505054503030},Success and Failure,3 System,Security Group Management,{0CCE9237-69AE-11D9-BED3-505054503030},Success and Failure,3 System,Computer Account Management,{0CCE9236-69AE-11D9-BED3-505054503030},Success and Failure,3 System,User Account Management,{0CCE9235-69AE-11D9-BED3-505054503030},Success and Failure,3 System,Directory Service Access,{0CCE923B-69AE-11D9-BED3-505054503030},Success and Failure,3 System,Directory Service Changes,{0CCE923C-69AE-11D9-BED3-505054503030},Success and Failure,3 System,Credential Validation,{0CCE923F-69AE-11D9-BED3-505054503030},Success and Failure,3

Here is the results of AuditPol on my one DC (which shows that the required policies are enabled):
Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value DomainController,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Security State Change,{0CCE9210-69AE-11D9-BED3-505054503030},Success,,1 DomainController,System,Other System Events,{0CCE9214-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Group Membership,{0CCE9249-69AE-11D9-BED3-505054503030},Success,,1 DomainController,System,User / Device Claims,{0CCE9247-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Network Policy Server,{0CCE9243-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Other Logon/Logoff Events,{0CCE921C-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Special Logon,{0CCE921B-69AE-11D9-BED3-505054503030},Success,,1 DomainController,System,IPsec Extended Mode,{0CCE921A-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,IPsec Quick Mode,{0CCE9219-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,IPsec Main Mode,{0CCE9218-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Account Lockout,{0CCE9217-69AE-11D9-BED3-505054503030},Failure,,2 DomainController,System,Logoff,{0CCE9216-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Logon,{0CCE9215-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Handle Manipulation,{0CCE9223-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Central Policy Staging,{0CCE9246-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Removable Storage,{0CCE9245-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Detailed File Share,{0CCE9244-69AE-11D9-BED3-505054503030},Failure,,2 DomainController,System,Other Object Access Events,{0CCE9227-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Filtering Platform Connection,{0CCE9226-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Filtering Platform Packet Drop,{0CCE9225-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,File Share,{0CCE9224-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Application Generated,{0CCE9222-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Certification Services,{0CCE9221-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,SAM,{0CCE9220-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Kernel Object,{0CCE921F-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Registry,{0CCE921E-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,File System,{0CCE921D-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Other Privilege Use Events,{0CCE922A-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Non Sensitive Privilege Use,{0CCE9229-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Sensitive Privilege Use,{0CCE9228-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,RPC Events,{0CCE922E-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Token Right Adjusted Events,{0CCE924A-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Process Creation,{0CCE922B-69AE-11D9-BED3-505054503030},Success,,1 DomainController,System,Process Termination,{0CCE922C-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Plug and Play Events,{0CCE9248-69AE-11D9-BED3-505054503030},Success,,1 DomainController,System,DPAPI Activity,{0CCE922D-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Other Policy Change Events,{0CCE9234-69AE-11D9-BED3-505054503030},Failure,,2 DomainController,System,Authentication Policy Change,{0CCE9230-69AE-11D9-BED3-505054503030},Success,,1 DomainController,System,Audit Policy Change,{0CCE922F-69AE-11D9-BED3-505054503030},Success,,1 DomainController,System,Filtering Platform Policy Change,{0CCE9233-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Authorization Policy Change,{0CCE9231-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,MPSSVC Rule-Level Policy Change,{0CCE9232-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Other Account Management Events,{0CCE923A-69AE-11D9-BED3-505054503030},Success,,1 DomainController,System,Application Group Management,{0CCE9239-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Distribution Group Management,{0CCE9238-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Security Group Management,{0CCE9237-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Computer Account Management,{0CCE9236-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,User Account Management,{0CCE9235-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Directory Service Replication,{0CCE923D-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Directory Service Access,{0CCE923B-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Detailed Directory Service Replication,{0CCE923E-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Directory Service Changes,{0CCE923C-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Other Account Logon Events,{0CCE9241-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Kerberos Service Ticket Operations,{0CCE9240-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Credential Validation,{0CCE923F-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,,Option:CrashOnAuditFail,,Disabled,,0 DomainController,,Option:FullPrivilegeAuditing,,Disabled,,0 DomainController,,Option:AuditBaseObjects,,Disabled,,0 DomainController,,Option:AuditBaseDirectories,,Disabled,,0 DomainController,,FileGlobalSacl,,,, DomainController,,RegistryGlobalSacl,,,,

Martin Schvartzman · Answer 2 · Sun Oct 01 2023 21:34:34 GMT+0800 (China Standard Time)

@Owl-Tec
The issue is related to the auditpol backup file, which is either not being created or cannot be read. This is causing the "Unable to get the advanced auditing settings remotely" error. However, the applied auditing settings themselves seem to be correct.

I modified the script to use the actual temporary folder instead of assuming it is always located at C:\Windows\Temp.
Please try the latest version and let me know if the problem persists. If it does, please run the following command and paste the contents of mdi-temp.csv here:
cmd.exe /c auditpol.exe /backup /file:C:\Windows\Temp\mdi-temp.csv

Owl-Tec · Answer 3 · Tue Oct 03 2023 21:34:38 GMT+0800 (China Standard Time)

Thanks for the reply.

I just re-ran the script but the same issue still applies:

Here are the results of the requested .CSV file:
Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value
DC,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},Success and Failure,,3
DC,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},Success and Failure,,3
DC,System,Security State Change,{0CCE9210-69AE-11D9-BED3-505054503030},Success,,1
DC,System,Other System Events,{0CCE9214-69AE-11D9-BED3-505054503030},Success and Failure,,3
DC,System,Group Membership,{0CCE9249-69AE-11D9-BED3-505054503030},Success,,1
DC,System,User / Device Claims,{0CCE9247-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,Network Policy Server,{0CCE9243-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,Other Logon/Logoff Events,{0CCE921C-69AE-11D9-BED3-505054503030},Success and Failure,,3
DC,System,Special Logon,{0CCE921B-69AE-11D9-BED3-505054503030},Success,,1
DC,System,IPsec Extended Mode,{0CCE921A-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,IPsec Quick Mode,{0CCE9219-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,IPsec Main Mode,{0CCE9218-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,Account Lockout,{0CCE9217-69AE-11D9-BED3-505054503030},Failure,,2
DC,System,Logoff,{0CCE9216-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,Logon,{0CCE9215-69AE-11D9-BED3-505054503030},Success and Failure,,3
DC,System,Handle Manipulation,{0CCE9223-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,Central Policy Staging,{0CCE9246-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,Removable Storage,{0CCE9245-69AE-11D9-BED3-505054503030},Success and Failure,,3
DC,System,Detailed File Share,{0CCE9244-69AE-11D9-BED3-505054503030},Failure,,2
DC,System,Other Object Access Events,{0CCE9227-69AE-11D9-BED3-505054503030},Success and Failure,,3
DC,System,Filtering Platform Connection,{0CCE9226-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,Filtering Platform Packet Drop,{0CCE9225-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,File Share,{0CCE9224-69AE-11D9-BED3-505054503030},Success and Failure,,3
DC,System,Application Generated,{0CCE9222-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,Certification Services,{0CCE9221-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,SAM,{0CCE9220-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,Kernel Object,{0CCE921F-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,Registry,{0CCE921E-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,File System,{0CCE921D-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,Other Privilege Use Events,{0CCE922A-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,Non Sensitive Privilege Use,{0CCE9229-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,Sensitive Privilege Use,{0CCE9228-69AE-11D9-BED3-505054503030},Success and Failure,,3
DC,System,RPC Events,{0CCE922E-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,Token Right Adjusted Events,{0CCE924A-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,Process Creation,{0CCE922B-69AE-11D9-BED3-505054503030},Success,,1
DC,System,Process Termination,{0CCE922C-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,Plug and Play Events,{0CCE9248-69AE-11D9-BED3-505054503030},Success,,1
DC,System,DPAPI Activity,{0CCE922D-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,Other Policy Change Events,{0CCE9234-69AE-11D9-BED3-505054503030},Failure,,2
DC,System,Authentication Policy Change,{0CCE9230-69AE-11D9-BED3-505054503030},Success,,1
DC,System,Audit Policy Change,{0CCE922F-69AE-11D9-BED3-505054503030},Success,,1
DC,System,Filtering Platform Policy Change,{0CCE9233-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,Authorization Policy Change,{0CCE9231-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,MPSSVC Rule-Level Policy Change,{0CCE9232-69AE-11D9-BED3-505054503030},Success and Failure,,3
DC,System,Other Account Management Events,{0CCE923A-69AE-11D9-BED3-505054503030},Success,,1
DC,System,Application Group Management,{0CCE9239-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,Distribution Group Management,{0CCE9238-69AE-11D9-BED3-505054503030},Success and Failure,,3
DC,System,Security Group Management,{0CCE9237-69AE-11D9-BED3-505054503030},Success and Failure,,3
DC,System,Computer Account Management,{0CCE9236-69AE-11D9-BED3-505054503030},Success and Failure,,3
DC,System,User Account Management,{0CCE9235-69AE-11D9-BED3-505054503030},Success and Failure,,3
DC,System,Directory Service Replication,{0CCE923D-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,Directory Service Access,{0CCE923B-69AE-11D9-BED3-505054503030},Success and Failure,,3
DC,System,Detailed Directory Service Replication,{0CCE923E-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,Directory Service Changes,{0CCE923C-69AE-11D9-BED3-505054503030},Success and Failure,,3
DC,System,Other Account Logon Events,{0CCE9241-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,Kerberos Service Ticket Operations,{0CCE9240-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,System,Credential Validation,{0CCE923F-69AE-11D9-BED3-505054503030},Success and Failure,,3
DC,System,Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030},No Auditing,,0
DC,,Option:CrashOnAuditFail,,Disabled,,0
DC,,Option:FullPrivilegeAuditing,,Disabled,,0
DC,,Option:AuditBaseObjects,,Disabled,,0
DC,,Option:AuditBaseDirectories,,Disabled,,0
DC,,FileGlobalSacl,,,,
DC,,RegistryGlobalSacl,,,,

I was using this script to help troubleshoot the problem I was having within the Microsoft Defender for Identity console with the following error message appearing:

However, this error message has since gone away since I have done the following:

"Pushing the polices to "Default Domain Controllers Policy" GPO, instead of a separate GPO, is what fixed it. I guess this is a super common bug with enabling Advanced Audit"

I am starting to think that your script is fine but it could be a problem with my server itself.