WinSecWiki > Security Settings > Local Policies > Security Options > Audit > Force audit policy subcategory settings

Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings

By default, if you define a value for a policy in one of the top-level categories—either in the computer's Local Security Policy or in an applicable GPO—then that top-level policy will usually override any configurations that you make at the subcategory level with the auditpol command. 

Under Windows’ default behavior, subcategory policies take effect only when you leave the related top-level category undefined in the Local Security Policy and in all applicable GPOs. If a category policy is defined, then all subcategory policies under that policy will be defined. 

I stress usually and default behavior because this new Group Policy Object setting "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" reverses that behavior. If you enable this setting, then your subcategory configurations will override how the applied Group Policy sets the top-level policies.

To configure audit policy at the subcategory level see the auditpol command.

Back to top

 

Upcoming Webinars Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources