Skip to content

Fix audit policy recommendation for computer accounts #8099

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix audit policy recommendation for computer accounts #8099

wants to merge 1 commit into from

Conversation

@vultureman
Copy link

@vultureman vultureman commented Nov 20, 2025

Per

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-computer-account-management

this audit type does not have failure events, so "Stronger Recommendation" should not be Yes | Yes, but Yes | No

@vultureman vultureman requested a review from a team as a code owner November 20, 2025 21:04
@vultureman vultureman requested review from robinharwood and removed request for a team November 20, 2025 21:04
@prmerger-automator
Copy link
Contributor

prmerger-automator bot commented Nov 20, 2025

@vultureman : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change.

@learn-build-service-prod
Copy link
Contributor

learn-build-service-prod bot commented Nov 20, 2025

Learn Build status updates of commit 6af407e:

✅ Validation status: passed

File Status Preview URL Details
WindowsServerDocs/identity/ad-ds/plan/security-best-practices/Audit-Policy-Recommendations.md ✅Succeeded

For more details, please refer to the build report.

@vultureman
Copy link
Author

vultureman commented Nov 20, 2025
edited
Loading

This also appears to be the same case for:

Audit Other Account Management Events
Audit Security Group Management
Audit Process Creation
Audit Security State Change
Audit Security System Extension
Audit Special Logon

Per the link mentioned above, none of those 6 groups (5 above plus the original proposed change) have a failure type for that category, so they should be Yes | No

Similarly, "Audit Account Lockout" is set to Yes | No, but per that article, the audit category only generates Failure events.

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/audit-account-lockout

So both options on "Audit Account Lockout" should be No | Yes

Basically, the whole sheet should be vetted to verify if any "Stronger Recommendations" actually generate those events.

@v-dirichards
Copy link
Contributor

v-dirichards commented Nov 20, 2025

@robinharwood, @Xelu86
Can you review the proposed changes?

#label:"aq-pr-triaged"
@MicrosoftDocs/public-repo-pr-review-team
#assign: @robinharwood, @Xelu86

@prmerger-automator
Copy link
Contributor

prmerger-automator bot commented Nov 20, 2025

Users robinharwood are already assigned.

@prmerger-automator prmerger-automator bot added the aq-pr-triaged tracking label for the PR review team label Nov 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robinharwood robinharwood Awaiting requested review from robinharwood robinharwood is a code owner automatically assigned from MicrosoftDocs/windowsserverdocs-admin

Assignees

@robinharwood robinharwood

@Xelu86 Xelu86

Labels

ad-ds/subsvc aq-pr-triaged tracking label for the PR review team Change sent to author do-not-merge windows-server/svc

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@vultureman @v-dirichards @robinharwood @Xelu86