The AuditPol utility helps you manage audit policies.
Auditing is the process of monitoring user or other object successes
and failures with the current system. For example, you could monitor
every time the user fails to log into the system properly. The AuditPol
utility supports the following modes of operation.
Get
Displays the current audit policy.
Set
Modifies the audit policy.
List
Displays a list of selectable audit policies.
Backup
Saves the current audit policy to a file.
Restore
Restores a saved audit policy from a file.
Clear
Restores the audit policy to a known state (no audit policy at all).
Remove
Removes the per-user audit policy for the specified user.
The following sections describe each of these modes in detail.
1. Get
The Get mode displays the audit policy for the current or specified user. This mode uses the following syntax:
AuditPol /Get [/user:<username>|<{sid}>]
[/category:*|<name>|<{guid}>[,:<name>|<{guid}>...]]
[/subcategory:<name>|<{guid}>[,:<name>|<{guid}>...]]
[/option:{CrashOnAuditFail | FullPrivilegeAuditing | AuditBaseObjects |
AuditBaseDirectories}] [/sd] [/r]
The following list describes each of the command line arguments.
- /user:
{username | SID}
Specifies the user account to query. You can provide either the username or the SID. Add the domain (domain\username) to qualify the username in a domain setting. You must use either the /category or /subcategory option with this option. The utility queries the system audit policy when you don't supply a username.
/category:{* | name | GUID}[, {name | GUID}...]Specifies one or
more categories to query. You can query all of the categories by using
an asterisk (*) in place of a specific category name. The utility lets
you identify a category using its name or GUID. Separate multiple
category entries using commas and enclose any category name with a space
or other special symbol in double quotes. An example of a category is
System.
/subcategory: {name | GUID}[, {name | GUID}...]Specifies one or
more subcategories to query. The utility lets you identify a
subcategory using its name or GUID. Separate multiple subcategory
entries using commas and enclose any category name with a space or other
special symbol in double quotes. You don't have to specify both
category and subcategory—using subcategory alone is sufficient. An
example of a subcategory is Security System Extension.
/sd
Retrieves
the security descriptor used to delegate access to the audit policy. You
can't use this option with any other option—it must appear separately.
- /option: {CrashOnAuditFail | FullPrivilegeAuditing | AuditBaseObjects | AuditBaseDirectories}
Retrieves the
state (policy) for the specified option. You can't use this option with
any other option—it must appear separately.
/r
Displays the output in CSV format.
2. Set
The Set mode changes the audit policy for the current or specified user. This mode uses the following syntax:
AuditPol /set
[/user[:<username>|<{sid}>][/include][/exclude]]
[/category:<name>|<{guid}>[,:<name>|<{guid}>...]]
[/success:<enable>|<disable>][/failure:<enable>|<disable>]
[/subcategory:<name>|<{guid}>[,:<name>|<{guid}>...]]
[/success:<enable>|<disable>][/failure:<enable>|<disable>]
[/option: {CrashOnAuditFail | FullPrivilegeAuditing | AuditBaseObjects |
AuditBaseDirectories} /value:<enable>|<disable>]
The following list describes each of the command line arguments.
- /user:
{username | SID}
Specifies the user account to set. You can provide either the user-name or the SID. Add the domain (domain\username) to qualify the username in a domain setting. You must use either the /category or /subcategory option with this option. The utility queries the system audit policy when you don't supply a username.
/include
Forces the
system to generate an audit as part of the per-user policy even if the
audit isn't specified by the system audit policy. This option is the
default. You use this option with the /user option.
/exclude
Forces the system to
suppress an audit as part of the per-user policy even if the audit is
specified by the system audit policy. This option isn't honored for
users who are members of the Administrators local group. You use this
option with the /user option.
/category:{name | GUID}[, {name | GUID}...]Specifies one or
more categories to set. The utility lets you identify a category using
its name or GUID. Separate multiple category entries using commas and
enclose any category name with a space or other special symbol in double
quotes. An example of a category is System.
/subcategory:{name | GUID}[, {name | GUID}...]Specifies
one or more subcategories to set. The utility lets you identify a
subcategory using its name or GUID. Separate multiple subcategory
entries using commas and enclose any category name with a space or other
special symbol in double quotes. You don't have to specify both
category and subcategory—using subcategory alone is sufficient. An
example of a subcategory is Security System Extension.
/success {Enable | Disable}Sets the success auditing for the associated category or subcategory. Use Enable or Disable to start or end success auditing.
/failure {Enable | Disable}Sets the failure auditing for the associated category or subcategory. Use Enable or Disable to start or end failure auditing.
- /option:{CrashOnAuditFail | FullPrivilegeAuditing | AuditBaseObjects | AuditBaseDirectories} /value {Enable | Disable}
Sets the state
(policy) for the specified option. You can't use this option with any
other option— it must appear separately. Always include the /value
option to enable or disable the option.
/sd
Sets the
security descriptor used to delegate access to the audit policy. You
can't use this option with any other option—it must appear separately.
The security descriptor must include a Discretionary Access Control List
(DACL) specified using the Security Descriptor Definition Language
(SDDL).
3. List
Use the List mode to
obtain a list of possible users, categories, or subcategories, rather
than the audit settings. For example, if you use the /user option alone,
you'll see a list of users that have audit policies set, rather than
the user's settings. This mode uses the following syntax:
AuditPol /list
[/user|/category|/subcategory[:<categoryname>|<{guid}>|*] [/v] [/r]
The following list describes each of the command line arguments.
/user
Displays a list of users who have audit policies set.
/category
Displays a list of categories whether or not they have audit policies set.
- /subcategory[:
{categoryname | GUID
| *}
Displays a list
of subcategories when you supply a category name or associated GUID. Use
the asterisk (*) to display a list of all subcategories regardless of
category.
/v
Outputs
additional information depending on the list you display. This option
displays the SID for users and the GUID for both categories and
subcategories.
/r
Displays the output in CSV format.
4. Backup
The Backup mode lets you make a backup of the current audit policy. This mode uses the following syntax:
AuditPol /backup /file:<filename>
The following describes the command line argument.
- /file:
Filename
Specifies the name of the file you want to use for the backup.
5. Restore
The Restore mode restores an audit policy you previously saved to a file. This mode uses the following syntax:
AuditPol /restore /file:<filename>
The following describes the command line argument.
- /file:
Filename
Specifies the name of the file you want to restore.
6. Clear
The Clear mode clears the audit policies for all users on the system. This mode uses the following syntax:
AuditPol /clear [/y]
The following describes the command line argument.
/y
Suppresses the prompt that asks whether you're sure you want to clear all of the audit policies.
|
Use the Clear mode with
care because you'll remove all the audit policies and the process isn't
reversible. The best policy is to make a backup before you use this
option.
|
|
7. Remove
The Remove mode clears the per-user audit policy for the specified users. This mode uses the following syntax:
AuditPol /remove [/user[:<username>|<{sid}>]] [/allusers]
The following list describes each of the command line arguments.
/user:{username | SID}Specifies the user account to change. You can provide either the username or the SID. Add the domain (domain\username) to qualify the username in a domain setting. You must use either the /category or /subcategory option with this option. The utility queries the system audit policy when you don't supply a username.
/allusers
Removes the per-user
audit policies for all users. This option is equivalent to using the
Clear mode from a user perspective. However, the audit policy options
remain intact.
