Configuring Registry Auditing Permissions via GPO

After many years of having nothing in place, we recently decided to implement an auditing solution for our Windows infrastructure.  This includes the auditing of Active Directory, Group Policy, Exchange, Windows File Server, SQL and Windows Server.

Quick side note: If you don't have an auditing solution in place, get one.  Both my manager and I quickly realized we could have been saved a lot of pain over the years by having one in place.  To name a few:

• Alerting on changes to sensitive security groups or folders..
• End user tickets: "I accidentally moved a folder and can't find it"
• Alerting on changes to Full Access and Send As permissions on Exchange mailboxes
• Video recording(if your solution has it) of consultant/contractor sessions on company servers.
• These are just a few of the big ones that hit home while watching demo's. 

Most of the auditing settings are easily configured under "Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Configuration".  However, there are also Registry permissions that must be configured, which is where I got a little stumped.

Vendor documentation instructs you to configure Auditing permissions for HKLM\Software, HKLM\System and HKEY_USERS\.Default as shown below.

Vendor Recommended Permissions (Regedit)

Now, the vendor documentation did not include information for deploying via GPO, so I set out to figure this out on my own.  The process is fairly straight forward:

• Open your GPO and navigate to "Computer Configuration\Policies\Windows Settings\Security Settings\Registry".
• Right-click on "Registry" or in the white space to the right and select "Add Key".
• Select the Key you want to set Audit permissions for, in this example it's "Machine > Software", then click OK and the "Database Security" window will open.
• 
• In the "Database Security" window, click "Advanced", then click the "Auditing" tab.
• On the "Auditing Entry" window, click "Select a principal", type "Everyone", then click OK.
• Type: "Success"
• Applies to: "This key and subkeys"
• Click "Show advanced permissions"

But wait... "Write DAC" and "Write Owner" are not options!  

As it turns out, Microsoft uses different terminology in the Registry Editor and GP Editor, instead of "Write DAC" and "Write Owner", you will select "Change permissions" and "Take Ownership".

After setting those permissions and running a quick "gpudate /force" on my test server, I checked the key in the Registry Editor to confirm.  As you can see, by using "Change permissions" and "Take ownership", the correct permissions were applied to the server.