Quick side note: If you don't have an auditing solution in place, get one. Both my manager and I quickly realized we could have been saved a lot of pain over the years by having one in place. To name a few:
- Alerting on changes to sensitive security groups or folders..
- End user tickets: "I accidentally moved a folder and can't find it"
- Alerting on changes to Full Access and Send As permissions on Exchange mailboxes
- Video recording(if your solution has it) of consultant/contractor sessions on company servers.
- These are just a few of the big ones that hit home while watching demo's.
Most of the auditing settings are easily configured under "Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Configuration". However, there are also Registry permissions that must be configured, which is where I got a little stumped.
Vendor documentation instructs you to configure Auditing permissions for HKLM\Software, HKLM\System and HKEY_USERS\.Default as shown below.
Vendor Recommended Permissions (Regedit) |
- Open your GPO and navigate to "Computer Configuration\Policies\Windows Settings\Security Settings\Registry".
- Right-click on "Registry" or in the white space to the right and select "Add Key".
- Select the Key you want to set Audit permissions for, in this example it's "Machine > Software", then click OK and the "Database Security" window will open.
- In the "Database Security" window, click "Advanced", then click the "Auditing" tab.
- On the "Auditing Entry" window, click "Select a principal", type "Everyone", then click OK.
- Type: "Success"
- Applies to: "This key and subkeys"
- Click "Show advanced permissions"
But wait... "Write DAC" and "Write Owner" are not options!
As it turns out, Microsoft uses different terminology in the Registry Editor and GP Editor, instead of "Write DAC" and "Write Owner", you will select "Change permissions" and "Take Ownership".
After setting those permissions and running a quick "gpudate /force" on my test server, I checked the key in the Registry Editor to confirm. As you can see, by using "Change permissions" and "Take ownership", the correct permissions were applied to the server.