Default Audit policy in 11g

Similar Messages

• Reboot domain controller changes audit policy on Default Domain Controller Policy

  This has been happening for a long time no matter whether my DCs were running Windows Server 2003 or, as they are now, are running Windows Server 2012 R2. It happens on DCs in one particular site, but the policy change it causes is domain-wide.
  I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
  Default Domain Controllers Policy - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies/Audit Policy.
  I have monitoring application relying on this policy being turned on, and if it's off, it's being reported. The monitoring application knows the change, but it doesn't know how the change was made.
  All my DCs are running Windows Server 2012 R2, DFL 2008 R2.
  Thanks and regards.

  Hi,
  >>I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
  Did we try to run command gpresult/h report.html with admin privileges to collect group policy result report to check how the policy setting was  applied after rebooting?  Besides, we can also try to run command
  auditpol /get / category:* from an elevated command prompt to check what audit settings are applied.
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Advanced Audit Policy in Windows 2008R2

  Hi,
  This is in regards to Advanced Audit Policy configurations in Windows 2008R2.
  1. What is the correct way to configure the Audit policies if we have to audit mix of settings from both Legacy & Advanced policies..? For example I would like to audit Account lockouts from Advanced policy along with existing Legacy settings.
  2. When I tried last time, the moment I enable Account lockout setting, none of the Legacy settings are applying to the DC.
  3. Ned has confirmed this behaviour in his article but his suggestion in such case is to DISABLE the setting “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings”
  http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx
  3. If we DISABLE the specified security setting - both the settings from Legacy & Advanced policies will get applied as long as there is no conflict, but in case of a conflict, Legacy policy will take precedence over Advanced policy. Is my understanding
  correct..?
  Thanks in advance for your help!
  Ashok

  Hi Ashok,
  Yes, you understand this policy correctly.
  By default, if you define a value for a policy in one of the top-level categories—either in the computer's Local Security Policy or in an applicable GPO—then that top-level
  policy will usually override any configurations that you make at the subcategory level with the auditpol command. In other words,  setting audit policy by using basic audit policy categories will override the subcategory audit policy
  settings in Advanced Audit Policy Configuration. Enabling the
  Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting allows audit policy to be managed by using subcategories without requiring a change to Group Policy. 
  Regards,
  Lany Zhag

• Discrepancy in Default Domain Policy

  Hello, 
  About 6 months ago we migrated from DC's running Windows 2003 R2 to Windows 2012 R2. At that time we raised our domain functional level to "Windows Server 2008 R2"
  I am trying to audit my Group Policy and have found a problem I am unable to explain. I have installed RSAT tools on my local workstation, and I have been using it to view group policy to perform my audit. Everything was going fine until I came across:
  "Default Domain Policy"
  Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities
  However when I attempted to edit the policy to look at the settings, nothing is there, the certificate is just missing.
  Furthermore, when I look in the Group Policy Management on the DC, It does not even show "Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\TrustedRoot Certification Authorities"
  Can anyone explain to me the following:
  1. Why does my local workstations RSAT tools show settings that are not reflected on the DC?
  2. Why is my RSAT tools showing settings on a certificate the does not exist? Is it because there used to be a cert there when we were using 2k3 domain controllers, and the cert wasn't migrated?
  3. How can I fix this so that my RSAT Group Policy Manager on my Workstations is synched with my Domain Controllers?
  Thank You in advance for any assistance. 
  P.S. I had several pictures setup that made the explanation of all this much easier, but I was not allowed to add them because "Body text cannot contain images or links until we are able to verify your account."  

  I have made some interesting discoveries that I think may help future individuals, if they find this posting. 
  When looking at the picture in my original posting you see that the group policy points to:
  "Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted
  Root Certification Authorities"
  So you would expect that you would navigate to the same path in the GPME (Group Policy Management Editor)
  but it turns out, that is not the case, to edit these settings you must navigate to the following:
  "Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies" and
  double-click on "Certificate Path Validation Settings"
  I discovered this information using this technet article:
  http://technet.microsoft.com/en-us/library/cc754841.aspx
  Under "Managing Trusted Root Certificates for a Domain"
  However this does not resolve my original issue, in that it does not explain the discrepancy between RSAT tools and the DC. 
  Well I have a friend who has almost an identical setup to mine at his company (he is using Server 2012 R1), he checked, and he saw the exact same scenario as I have. 
  I am unsure if this is by design or a bug in GPO. I would assume that if it was a bug that others would have discovered it by now and written about it, can anyone provide any insight?

• Domain advanced audit policy not taking effect on DC.

  Hi.
   I'm having a strange problem getting an advance audit policy to take effect on one of my domain controllers, we'll call it DC1. I have two DCs on this network, and both are in the same OU, however behave wildly differently with the same policy.
  For example, on DC1 when I run group policy results wizard from GPMC, I can see the local policy/audit policy settings, but no settings for advanced audit configuration are shown. However, if I log into DC1 itself and look at local security policy,
  it shows settings in both areas.
  No matter what changes I made to either area in the domain policy nothing would change in the local security policy on the system when refreshing group policy on the DC. It was as if it were stuck somehow. If I used the auditpol /get /category:* command
  it showed default audit settings, and that's it.
  I figured I would try to clear them and set them manually, and so I did an auditpol /clear, and now it says No Auditing for all categories. In addition to this, I did a gpupdate /force and it still said no auditing in all cagegories after displaying them
  with auditpol /get /cagories:*. On DC2 which is in the same OU, when running the group policy result wizard, it shows both advance audit, and basic auditing settings being applied.
  If I look in the local security policy it shows no auditing for all basic audit settings, and all the advanced audit settings as being set. Which should be the case when Audit: force audit policy subcategory settings is set (which it is). However, unlike
  DC1, instead of showing No auditing, it shows all of the advanced audit configuration settings when I type auditpol /get /categories: * at the command prompt, and it's gpresults look good. I even cleared the audit policy off of DC2, and got it to show "no
  auditing" before doing a gpupdate, and all it's settings came back. Not so with DC1. DC1 seems to apply all other group policy settings without issue.

  Hi,
  Based on your description, we can use the command auditpol/clear to remove all audit settings, find the audit.csv file existing in the GPOs in which we configured audit settings,
  delete the audit.csv file, and then configure the audit setting via group policy to see if it works as expected.
  The path for the audit.csv file:
  %systemroot%\Sysvol\sysvol\domainname\Policies\GPOs\Machine\
  Microsoft\Windows NT\Audit
  In addition, regarding audit policy, the following blog can be referred to for more information.
  Getting the Effective Audit Policy in Windows 7 and 2008 R2
  http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• Auditing with advanced audit policy

  I'm looking into advanced audit policy and recommendations.  
  What is the difference between "advanced audit policy configuration" and "auditpol.exe?"
  Once advanced audit policy is configured, where can I check the logs? Event Viewer?
  Should the advanced audit policy be configured on the Default Domain Policy or a separate policy on specific OUs?

  Hi,
  The basic security audit policy settings in Security Settings\Local Policies\Audit Policy and the advanced security audit policy settings in
  Security Settings\Advanced Audit Policy Configuration\System Audit Policies appear to overlap, but they are recorded and applied differently. When you apply basic audit policy settings to the local computer using Local Security Policy, you
  are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe.
  There are a number of additional differences between the security audit policy settings in these two locations.
  There are nine basic audit policy settings under Security Settings\Local Policies\Audit Policy and 53 settings under
  Advanced Audit Policy Configuration. The settings available in
  Security Settings\Advanced Audit Policy Configuration address similar issues as the basic nine settings in
  Local Policies\Audit Policy but allow administrators to be more selective in the number and types of events to audit. For example, where basic audit policy provides a single setting for account logon, advanced audit policy provides four. Enabling
  the single basic account logon setting would be the equivalent of setting all four advanced account logon settings. In comparison, setting a single advanced audit policy setting does not generate audit events for activities you are not interested in. In addition,
  if you enable success auditing for the basic Audit account logon events setting, only success events will be logged for all account logon–related behaviors. In comparison, you can configure success auditing for one advanced account logon
  setting, failure auditing for a second advanced account logon setting, Success and failure auditing for a third advanced account logon setting—or no auditing, depending on the needs of your organization.
  The nine basic settings under Security Settings\Local Policies\Audit Policy were introduced in Windows 2000, and therefore are available to all versions of Windows released since then. The advanced audit policy settings were introduced in
  Windows Vista and Windows Server 2008. The advanced settings can only be used on computers running Windows 7, Windows Vista, Windows Server 2008 R2, or Windows Server 2008.
  For more information, please refer to the below link:
  Advanced Security Auditing FAQ
  http://technet.microsoft.com/en-us/library/ff182311(WS.10).aspx#BKMK_2
  Best Regards,
  Yan Li
  Yan Li
  TechNet Community Support

• Audit Policy setting in GPO

  HI,
  I would like to setup the audit setting for our company which will include mainly the "DS access" category. Also, we would like to disable the success logon / logoff as default and only enable the failure option in order to decrease the size of
  our security log.
  Should all those setting be set in the "Default Domain Policy" GPO or "Default Domain Controller Policy"? Or we need to setup another GPO for the setting as, suggest by MS, the "Default Domain Policy" should only contain the
  Password and Lockout policy.
  Thanks,
  Jerald Leung

  Hi Jerald,
  >>I would like to setup the audit setting for our company which will include mainly the "DS access" category.
  According to me, for auditing DS access, we can configure this setting in the default domain controller group policy.
  DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (AD DS). These audit events
  are logged only on domain controllers.
  The following article has provided the step-by-step guide for configuring DS access audit settings.
  AD DS Auditing Step-by-Step Guide
  http://technet.microsoft.com/en-us/library/cc731607(v=WS.10).aspx
  Note: Audit events will only be generated on objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches the SACL
  settings.
  >>we would like to disable the success logon / logoff as default and only enable the failure option in order to decrease the size of our security log.
  Audit "logon events" records logons on the PC(s) targeted by the policy and the results appear in the Security Log on that PC(s).
  If you want to just audit failure logon, you can configure the settings in the default domain policy or configure it in another GPO which links to the domain.
  In addition, we can set the maximum size of security log via group policy. Regarding this point, the following article can be referred to for more information.
  Maximum security log size
  http://technet.microsoft.com/en-us/library/cc776342(v=ws.10).aspx
  Best regards,
  Frank Shen

• How do I move the policy from Default domain policy to a custom policy.

  I want to implement a new password policy.  In the past we had a fairly loose policy, now I want to implement minimum length and complexity.  I know how to set this up in Computer Config Policies windows settings security settings and account policies
  password policy. However after I set it up I notice that it is not being applied.  I have run gpupdate, and even waited several days but still it's not taking effect.  I have created what im calling a custom gpo calling it "password policy". 
  It is situated under domains/mydomain.com .  There are a number of other policies here.
  When I run gpresult /h c:\temp\gpreport.html  its all a bit confusing. It looks like it being applied but then further down it says under Group policies Applied GPOs Denied GPOs Pssword Policy mydomain.com empty. ??
  But let me ask this first off .
  The previous administrator I think has the password policy set up in the "default domain policy"
  Is it possible that the default domain policy which IS indeed set differently is overriding my custom "password policy"
  If this is so how can I make it so  my custom password policy is applied over the default domain policy.
  Or what other answers could it be.

  Hi,
  Based on your requirement you can create Fine Grained Password Policies.
  This feature introduced in Windows Server 2008 allows you to override password policy set at the Default Domain Policy for specific users or groups.
  Checkout the below link for creating Fine Grained Password Policies from GUI in Windows Server 2012,
  http://blogs.technet.com/b/reference_point/archive/2013/04/12/fine-grained-password-policies-gui-in-windows-server-2012-adac.aspx
  Regards,
  Gopi
  JiJi
  Technologies

• Windows 8 and Default Domain Policy modification issue

  Hi,
  I'm unable to edit the default domain policy from my new Windows 8 desktop.  It's the only Win8 in the environment so I'm not able to easily test another one unfortunately.  The error I receive is:
  Group Policy Error
  Failed to open the Group Policy Object.  You might not have the appropriate rights.
  Details: The volume for a file has been externally altered so that the opened file is no longer valid.
  I have checked from a Win7 and a 2003 machine and can access and edit the GPO without issue using the same account.  The Win8 desktop is a fresh install with the RSAT tools installed, Exchange 2010 tools and a few basic applicaitons (non of which stick
  out as having anything to do with AD management).
  It only occurs if I click edit on the GPO.  I'm able to successfully view the policy and edit the permissions etc.  Have rebooted and the machine is current with patches as of now.
  thanks
  Andy
  Cheers Andy

  Hi,
  According to your description, the issue only occurred when you click to edit the GPO. And only occurred on Windows 8. I would like suggest you to follow below suggestions to narrow down the issue:
  1. Check out whether the issue only occurred to Default domain policy object.
  2. Test on another new installed Windows 8 client with only RSAT installed.
  3. Create another new account and add it to domain admin group to test again.
  4. Run dcdiag on DCs to check out whether the replications work fine.
  Hope this helps.
  Regards,
  Yan Li
  If you have any feedback on our support, please click
  here
  Cataleya Li
  TechNet Community Support

• Gpupdate wont update because of Default Domain Policy

  Hi Technet Community
  I have just tried to do a gpupdate /force in the Command Prompt, but it has thrown an error up at me. Screenshot below :
  I have gone into Group Policy Management and tracked the UID (which is displayed above starting with 31B2F340...) to be the same as the Default Domain Policy. Usually, I would do whatever I need to with Group Policy to get it working again, but I don't know
  how to change this policy about, or whether I can delete the current one and recreate it?
  Could anyone let me know what I can do to resolve this.
  A restart does not resolve this issue, and if I leave the domain and re-join it, it still doesn't resolve it.
  I'll try installing SP1 and see if it works, but no other Windows 7, 8 or 8.1 client computers seem to work either, with exactly the same error.
  All users can still log in.
  Thanks
  Ed

  Hi Technet Community
  I have just tried to do a gpupdate /force in the Command Prompt, but it has thrown an error up at me. Screenshot below :
  I have gone into Group Policy Management and tracked the UID (which is displayed above starting with 31B2F340...) to be the same as the Default Domain Policy. Usually, I would do whatever I need to with Group Policy to get it working again, but I don't know
  how to change this policy about, or whether I can delete the current one and recreate it?
  Could anyone let me know what I can do to resolve this.
  A restart does not resolve this issue, and if I leave the domain and re-join it, it still doesn't resolve it.
  I'll try installing SP1 and see if it works, but no other Windows 7, 8 or 8.1 client computers seem to work either, with exactly the same error.
  All users can still log in.
  Thanks
  Ed

• Default domain policy got corrupted and can't reverse to old system state?

  Initially we had two servers which was 2003 and 2008, after adding additional two more servers (server 2012) in the network and then demoted the old servers. and that was quite while ago. after carefully looking a the default policy I have noticed that there
  so many policies was applied on default policy object which led me to disable them and created a backup for both domain controller and the domain policy.
  now the problem is stupidly run
  dcgpofix  thought it will restore the domain policy to it's original state but it did not instead it came up with an empty default policy template and inside there is no security policy which i can edit. However i did tried to restore the old policy which
  i backed up but i get an access denied error.
  Now i realise that the original default policy was from server 2003 and the current schema domain functional level is 2012.  Currently
  I can not login to any newly added computers to the domain via domain administrator account.
  Please help! Is there any way to create a new default domain policy?

  Hi thanks for your input,
  but that doesn't resolves my issue. However I have managed to fix it by modifying the Default policy systemflags and then run the command gpfixup.exe /ignoreschema /target :domain.com.
  and after that I was able to restore my old gp from earlier backup. 

• Broken Default Domain Policy! GPOFIX Doesn't work

  Justin1250 wrote:
  So I noticed that command prompt is open in the users directory.
  Did you right click on the command window and run as administrator?
  It should run from the system directory as an admin.Yes I did. I just made sure again to run it as admin. Same result.

  I've spent hours and hours trying to fix this but can't. I seem to have located the problem where the default domain policy has lost is child associated with the GUID in AD/Registry. None of the tools seem to work, and I can't delete and recreate it because it thinks it doesn't exist and because Microsoft has engineered it to not be removable. This would be fine if it wasn't corrupted. I've read on some forums that the in-ability to delete a policy object is due to permissions issues. However, that isn't the issue in my case.I've tried THISwhich didn't work.I recently did a test migration to 2012 from 2003, and was hoping when I migrated the data that the GPO wouldn't transfer it's corrupted data, but I was wrong :-/The pictures below should illustrate more detail than I could describe.GPOFIX ToolActive Directory showing that the GUID...
  This topic first appeared in the Spiceworks Community

• NIS+ default passwd policy, such as aging, length

  How to set NIS+ default passwd policy, such as aging, length?
  /etc/default/passwd only affect the local account. Where is the config file for NIS+? Is there a NIS+ table for the passwd policy?
  If there is no config file or NIS+ table for such setting, where is the default value when a new user is added?
  Message was edited by:
  kdust

  -- Second Update --
  After policy installation I got several problems with PeopleSoft configuration. Which finally were solved.
  1. Some URL's has to be defined as not enforced.
  com.sun.am.policy.amFilter.notenforcedList[1]=/ps/images/*
  com.sun.am.policy.amFilter.notenforcedList[2]=*.css
  com.sun.am.policy.amFilter.notenforcedList[3]=*.ico
  2. In versions older than PeopleSoft 8.4.2 the policy agent modified the file
  /opt/fs/webserv/peoplesoft/applications/peoplesoft/PORTAL/WEB-INF/psftdocs/ps/configuration.properties to add the properties:
  byPassSignon=TRUE
  defaultUserid="DEFAULT_USER"
  defaultPWD="your password"
  signon_page=amsignin.html
  signonError_page=amsignin.html
  logout_page=amsignin.html
  expire_page=amsignin.html
  However, in the newer versions of PeopleSoft this properties are controled from the online Peoplesoft console. Which are set on:
  PeopleTools --> WebProfile ---> WebProfileConfiguration --> [PROFILE] --> Security --> In section "Public Users" the parameters that has to be changed are:
  Allow Public Access (cheked)
  User ID : DEFAULT_USER
  Password : your password
  HTTP Session Inactivity : (SSO TIMEOUT)
  and:
  PeopleTools --> WebProfile ---> WebProfileConfiguration --> [PROFILE] --> Look and Feel -->
  In section "SignOn/Logout" set the following values:
  Signon Page : amsignin.html
  Signon Error Page : amerror.html
  Logout Page : amsignout.html
  Note: After making any changes on the console; restart PIA (weblogic instance).
  With this the SSO with PeopleSoft is working Ok.
  Message was edited by:
  LpzYlnd

• Default Domain Policy Not Applying Settings to Servers or Clients

  I have 2008 R2 DC's with a functioning level of 2003.  Our domain servers are a mix of 2003, 2008, 2008 R2, and 2012 and our clients are a mix of Windows 7 Pro and Windows 8.1 Pro.
  I recently made a change to the Default Domain Policy located at Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
  For the Security Policy setting called: Network security: Configure encryption types allowed for Kerberos
  The change was to enable DES because of a specific need that I have with an application that I work with but enabling DES and leaving the other options such AES unselected caused other applications to not work right.  I decided to revert the changes
  back to "Not Defined" but those changes did not reflect on the servers even after running the gpupdate /force command.
  In order to keep the application working that broke, we enabled all of the encryption levels such as DES, AES, etc. on the server that's running the application via it's Local Security Policy as a temporary fix.
  Now, I want to make sure all servers receive the settings from the Default Domain Policy and have their Local Security Policies reflect the "Not Defined" setting but it's not applying.  It seems like they worked when I first applied them but
  when I try to remove them it does not work.
  If I change the setting directly on the Local Security Policy on the server or clients it shows "No minimum" instead of "Not Defined" which I've heard can be fixed by identifying the registry entry for that setting and deleting it...so
  help with the location and how to identify that key would also be helpful.
  My goal is not to manually have to change servers and clients to revert back to their default settings...I want the Domain policy to apply and override the servers and client's Local Security Policy.
  Any help with this would be greatly appreciated and thank you in advance.

  I have 2008 R2 DC's with a functioning level of 2003.  Our domain servers are a mix of 2003, 2008, 2008 R2, and 2012 and our clients are a mix of Windows 7 Pro and Windows 8.1 Pro.
  I recently made a change to the Default Domain Policy located at Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
  For the Security Policy setting called: Network security: Configure encryption types allowed for Kerberos
  refer:
  http://technet.microsoft.com/en-us/library/jj852180(v=ws.10).aspx
  We needed to implement a similar scenario a few years ago (when we introduced Windows7 into our estate).
  We had an SAP/NetWeaver implementation which always worked on WinXP, but failed on Win7.
  We had to enable the DES ciphers, since those were disabled by default in Win7. We discovered that we also needed to enable all the other ciphers (those which are enabled by default[not configured]).
  i.e., when we changed the setting from "Not Configured", enabled DES, and left the RC4/AES stuff untouched by us, the RC4/AES stuff attracted a status of disabled.
  So, we had to set the DES ciphers to Enabled, and, also set the RC4/AES ciphers to Enabled - this gave us the "resultant" enablement of the default stuff and the needed change/addition of DES.
  When you set a GP setting "back to Not Configured", depending upon the setting *AND* the individual Windows feature itself - one of two things will happen:
  a) the feature will "revert" to default behaviour
  b) the feature will retain the current configured behaviour but becomes un-managed
  In classic Group Policy terms, condition (b) above is often referred to as "tattooing", i.e., the last GP setting remains in effect even though GPMC/RSOP/etc does not reveal that to be the case.
  (This is also a really good example of not doing this sort of stuff in the DDP. It could have borked your whole domain :)
  What I'd suggest, is that you re-enable your ciphers for KRB settings again - this time, enable all the ciphers that would normally be "default", let that replicate around, and allow time for domain members to action it.
  Then, set the setting back to Not Configured. This way, the "last" settings issued by GP will be those you want to remain as the "legacy".
  Note: the GP settings reference s/sheet, has this to say:
  Network security: Configure encryption types allowed for Kerberos
  This policy setting allows you to set the encryption types that Kerberos is allowed to use.
  If not selected, the encryption type will not be allowed. This setting may affect compatibility with client computers or services and applications. Multiple selections are permitted.
  This policy is supported on at least Windows 7 or Windows Server 2008 R2.
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Default Folders Policy/Items retention period not respected ?

  Hello, 
  We have Exchange Server 2007 SP3 and we've set up a default folders policy to erase all mailbox content older than 31 days. 
  However in three mailboxes we've sampled this policy isn't properly applied : the mailboxes had mails newer than 31 days deleted ( some 20 days, some 28 days, mine had only 14 days old mails !
  Can you please explain to me why this is happening? 

  Thank you sir Allen
  I ran the commands you mentioned
  [PS] C:\Documents and Settings\Administrateur>Get-Mailbox "alias" | FL Identit
  y, ManagedFolderMailboxPolicy
  Identity                   : domain.com/Users/alias 
  ManagedFolderMailboxPolicy : TestPolicy
  [PS] C:\Documents and Settings\Administrateur>Get-ManagedFolderMailboxPolicy "TestPolicy" | FL Identity,ManagedFolderLinks
  Identity           : TestPolicy
  ManagedFolderLinks : {Entire Mailbox, Tasks, Notes, Journal, Contacts, Calendar
  [PS] C:\Documents and Settings\Administrateur>Get-ManagedContentSettings -FolderName "Entire Mailbox"
  Name                      MessageClass              ManagedFolderName
  testrem                   *                         Entire Mailbox
  [PS] C:\Documents and Settings\Administrateur>Get-ManagedContentSettings -FolderName "Tasks"
  Name                      MessageClass              ManagedFolderName
  Preventing Del            IPM.Task*                 Tasks
  I set the entire Mailbox to be deleted after 31 days, then creating managed content settings on tasks, agenda and contacts and uncheked the item retention period so that these items do not get deleted.
  tried to go with only deleting items from the inbox but it didn't delete those in custom folders(each user creates his own)... the other method worked though