How to use Group Policy to audit registry keys in Windows Server 2003

This article describes how to use Group Policy to configure auditing of Windows registry keys.

Create a Group Policy Object

To create a Group Policy object (GPO) that you can use to turn on auditing in a domain, follow these steps:

1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Right-click your domain, and then click Properties.
3. Click the Group Policy tab, and then click New.
4. Type the name that you want to use for this policy (for example, Enable auditing policy), and then press ENTER.
5. Click Properties, and then click the Security tab.
6. Click to clear the Allow check box next to Apply Group Policy for the security groups that you want to prevent from having this policy applied.
7. Click to select the Allow check box next to Apply Group Policy for the groups to which you want to apply this policy, and then click OK.
8. Click OK, click OK again, and then quit Active Directory Users and Computers.

Turn On Auditing in Group Policy

If auditing is not already turned on, you must turn it on. In a domain, turn on auditing in a GPO that is linked to the domain. On either a server or a workstation that is not a member of the domain, turn on auditing in a local GPO.

Turn On Auditing on a Domain Controller

1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Right-click your domain, and then click Properties.
3. Click the Group Policy tab, click the Group Policy object that you want to use, and then click Edit.
4. Under Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy.
5. In the right pane, double-click Audit object access.
6. Click to select the Define these policy settings check box, click to select the Success check box, click to select the Failure check box, and then click OK.
   
   NOTE: The Audit object access policy setting is enough to turn on auditing for the Windows registry.
7. Quit the Group Policy Object Editor snap-in, and then click
   Close.

Turn On Auditing on a Computer That Is Not a Member of a Domain

1. Click Start, and then click Run.
2. In the Open box, type gpedit.msc, and then click OK.
3. Under Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy.
4. In the right pane, double-click Audit object access.
5. Click to select the Success check box, click to select the Failure check box, and then click OK.
   
   NOTE: The Audit object access policy is enough to turn on auditing for the Windows registry.
6. Quit the Group Policy Object Editor snap-in.

Audit a Registry Key

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 How to back up and restore the registry in Windows

1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. Locate and click the registry key that you want to audit, for example:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
4. On the Edit menu, click Permissions.
5. Click Advanced, click the Auditing tab, and then click Add.
6. Type the user account or group whose access to this registry key you want to audit, click Check Names to verify the name, and then click OK.
7. In the Apply onto box, click the option that you want.
8. Click to select the Successful and Failed check boxes next to the following access types:
   
   Set Value
   Create Subkey
9. Click OK, and then click OK.
   
   You may receive the following message:
   
   The current Audit Policy for this computer does not have auditing turned on. If this computer receives audit policy from the domain, please ask a domain administrator to turn on auditing using Group Policy Editor. Otherwise, use the Local Computer Policy Editor to configure the audit policy locally on this computer.
   
   If auditing is not turned on, you must turn it on by following the steps in the Turn On Auditing in Group Policy section of this article.
10. Click OK
11. Quit Registry Editor.

Audit events are displayed in the Security log of Event Viewer.

Use a Security Template to Audit Registry Keys

You can also use a security template to audit registry keys. To configure the audit policy, either create a custom security template or modify an existing template, and then use Group Policy to apply this template to multiple computers in a domain or an organizational unit (OU).

Create a Security Template

To create a new security template or to modify an existing template, follow these steps:

1. Click Start, and then click Run.
2. In the Open box, type mmc, and then click OK.
3. On the File menu, click Add/Remove Snap-in.
4. Click Add, click Security Templates, click Add, click Close, and then click OK.
5. In the console tree, expand Security Templates, and then expand drive:\WINDOWS\Security\Templates, where drive is the drive on which Windows is installed.
6. Do one of the following:
   
   • If you want to modify an existing template, expand the template that you want to use, for example, hisecws (high-security workstation template).
     
   • If you want to create a new security template, follow these steps:
     
     1. Right-click drive:\WINDOWS\Security\Templates, and then click New Template.
     2. Type a name for the template in the
        Template name box, and then click OK.
     3. Expand the new template that you created.
7. Right-click Registry, and then click Add Key.
8. In the Registry list, click the registry key that you want to use, and then click
   OK. For example:
   
   MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
9. Click Advanced, click the Auditing tab, and then click Add.
10. Type the user account or group whose access to this registry key you want to audit, click Check Names to verify the name, and then click OK.
11. In the Apply onto box, click the option that you want.
12. Click to select the Successful and Failed check boxes next to the type of access that you want to audit for either the selected user or the selected security group, and then click OK.
    
    For example, click to select the Successful and Failed check boxes next to Set Value.
13. Click OK.
    
    If you receive the following message, click OK:
    
    The current Audit Policy for this computer does not have auditing turned on. If this computer receives audit policy from the domain, please ask a domain administrator to turn on auditing using Group Policy Editor. Otherwise, use the Local Computer Policy Editor to configure the audit policy locally on this computer.
14. Click OK, and then click OK.
15. Expand Local Policies, and then click Audit Policy.
16. In the right pane, double-click Audit object access
17. Click to select Define these policy settings in the template check box, click to select the Success check box, click to select the Failure check box, and then click OK.
    
    NOTE: The Audit object access policy setting is enough to turn on auditing for the Windows registry.
18. Quit the Security Templates snap-in.
19. If a Save Security Templates dialog box is displayed, click Yes to save the custom security template that you created.

Apply the Security Template

Use Group Policy to apply the security template that contains the audit policy that you configured. To do so, follow these steps:

1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Do one of the following:
   
   • If you want to apply the security template to the whole domain, right-click the domain, and then click Properties.
     
     -or-
   • If you want to apply the security templates to an organizational unit, expand the domain, right-click the organizational unit, and then click Properties.
3. Create a GPO to use to apply the security template. To do so:
   
   1. Click the Group Policy tab.
   2. Click New.
   3. Type a name for the GPO in the New Group Policy Object box (for example, Apply Audit Policy Security Template), and then press ENTER.
4. Click Edit.
5. Under Computer Configuration, expand Windows Settings, right-click Security Settings, and then click Import Policy.
6. Click the security template that you created, click to select the Clear this database before importing check box, and then click Open.
   
   NOTE: When the Clear this database before importingcheck box is selected, all of the security settings in the GPO are replaced with those of the security template that you import.
7. Quit the Group Policy Object Editor snap-in, and then click
   Close.
8. Quit Active Directory Users and Computers.

Troubleshooting

After you configure auditing, the service may not work. This behavior can occur for any of the following reasons:

• A site, a domain, or an organizational unit policy setting overrides the audit policy that you configured. To troubleshoot this issue, follow these steps:
  
  1. Click Start, and then click Run.
  2. In the Open box, type gpedit.msc, and then click OK.
  3. Under Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy.
  4. In the right pane, view the item in the Security Setting column of the policy that you want to use.
     
     If the security setting of the policy is No auditing, a higher-level GPO may be overriding the audit policy setting that you configured. To confirm this behavior, view the higher-level GPO items that are linked to either the organizational unit or to the domain for possible conflicts.
  5. Click to select the Audit these attempts check box, click to select the Success check box, click to select the Failure check box, and then click OK.
     
     NOTE: The Audit object access policy setting is enough to turn on auditing for the Windows registry.
  6. Quit the Group Policy Object Editor snap-in.
• A GPO that overrides the audit policy setting has a higher priority. To troubleshoot this issue, follow these steps:
  
  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, right-click your domain, and then click Properties.
  3. Click the Group Policy tab. View the Group Policy Objects Links list.
     
     
     Items that are higher in the list override other lower-level items.
  4. If the GPO that contains your audit policy setting is listed below a higher-priority GPO item that turns off auditing, do one of the following steps:
     
     • Click the GPO that contains the audit policy setting that you want to use, and then click Up to move it above the higher-priority item in the list.
       
       WARNING: Make sure that other settings in your GPO do not conflict with the settings in the GPO items that are listed below it.
       
       -or-
     • Edit the GPO items that are listed above the GPO that contains the audit policy setting to remove conflicting policy settings.
       
       NOTE: You may want to combine the audit settings from one GPO with those of a higher-level GPO to resolve the audit policy conflict and to reduce the number of GPO items.
  5. When you are finished, click OK, and then click Exit on the File menu.
• The site, the domain, or the organizational unit policy setting that contains the audit policy setting has not replicated to other computers. To resolve this issue, use the Secedit.exe command-line utility to force Group Policy to be refreshed.