Advanced Audit Policy Configuration Precedence

The group policy object (GPO) that Tenable Identity Exposure creates to enable required events logging is linked to the organization unit (OU) domain controllers with Enforced mode enabled.

This gives the GPO a high priority, but an enforced GPO configured at a higher level (such as domain or site) takes precedence over it.

If the higher priority GPO that defines the Advanced Audit Policy Configuration settings conflicts with Tenable Identity Exposure’s needs, it takes precedence and Tenable Identity Exposure misses required events for attack detection.

Since Windows merges Advanced Audit Policy Configuration settings defined by GPOs, different GPOs can define different settings.

However, at each setting level, it only uses the GPO-defined value with the higher precedence. For example, Tenable Identity Exposure needs the Success and Failure value for the Audit Credential Validation setting. However, if a GPO with higher precedence only defines Success for Audit Credential Validation, then Windows only collects Success events and Tenable Identity Exposure misses the required Failure events.