| 0x1001 | Usage: AuditPol command []%nCommands (only one command permitted per execution) /? Help (context-sensitive) /get Displays the current audit policy. /set Sets the audit policy. /list Displays selectable policy elements. /backup Saves the audit policy to a file. /restore Restores the audit policy from a file. /clear Clears the audit policy. /remove Removes the per-user audit policy for a user account. /resourceSACL Configure global resource SACLs%nUse AuditPol /? for details on each command |
Usage: AuditPol command []%nCommands (only one command permitted per execution) /? Help (context-sensitive) /get Displays the current audit policy. /set Sets the audit policy. /list Displays selectable policy elements. /backup Saves the audit policy to a file. /restore Restores the audit policy from a file. /clear Clears the audit policy. /remove Removes the per-user audit policy for a user account. /resourceSACL Configure global resource SACLs%nUse AuditPol /? for details on each command |
| 0x1002 | Usage: AuditPol /get [/user[:|]] [/category:*||[,:|...]] [/subcategory:|[,:|...]] [/option:] [/sd] [/r]%nThis command displays the current audit policy.%nCommands /? Help (context-sensitive) /user The security principal for whom the per-user audit policy is queried. Either the /category or /subcategory option must be specified. The user may be specified as a SID or name. If no user account is specified, then the system audit policy is queried. /category One or more audit categories specified by GUID or name. An asterisk (\"*\") may be used to indicate that all audit categories should be queried. /subcategory One or more audit subcategories specified by GUID or name. /sd Retrieves the security descriptor used to delegate access to the audit policy. /option Retrieve existing policy for CrashOnAuditFail, FullPrivilegeAuditing, AuditBaseObjects or AuditBaseDirectories. /r Display the output in report (CSV) format.%nSample usage: auditpol /get /user:domain\\user /Category:\"Detailed Tracking\",\"Object Access\" auditpol /get /Subcategory:{0cce9212-69ae-11d9-bed3-505054503030} /r auditpol /get /option:CrashOnAuditFail auditpol /get /user:{S-1-5-21-397123417-1234567} /Category:\"System\" auditpol /get /sd |
Usage: AuditPol /get [/user[:|]] [/category:*||[,:|...]] [/subcategory:|[,:|...]] [/option:] [/sd] [/r]%nThis command displays the current audit policy.%nCommands /? Help (context-sensitive) /user The security principal for whom the per-user audit policy is queried. Either the /category or /subcategory option must be specified. The user may be specified as a SID or name. If no user account is specified, then the system audit policy is queried. /category One or more audit categories specified by GUID or name. An asterisk (\"*\") may be used to indicate that all audit categories should be queried. /subcategory One or more audit subcategories specified by GUID or name. /sd Retrieves the security descriptor used to delegate access to the audit policy. /option Retrieve existing policy for CrashOnAuditFail, FullPrivilegeAuditing, AuditBaseObjects or AuditBaseDirectories. /r Display the output in report (CSV) format.%nSample usage: auditpol /get /user:domain\\user /Category:\"Detailed Tracking\",\"Object Access\" auditpol /get /Subcategory:{0cce9212-69ae-11d9-bed3-505054503030} /r auditpol /get /option:CrashOnAuditFail auditpol /get /user:{S-1-5-21-397123417-1234567} /Category:\"System\" auditpol /get /sd |
| 0x1003 | Usage: AuditPol /set [/user[:|][/include][/exclude]] [/category:|[,:|...]] [/success:|][/failure:|] [/subcategory:|[,:|...]] [/success:|][/failure:|] [/option: /value:|]%nThis command sets the current audit policy.%nCommands /? Help (context-sensitive) /user The security principal for whom per-user audit policy specified by the category/subcategory is set. Either the category or subcategory option must be specified, as a SID or name. /include Specified with /user; indicates that user's per-user policy will cause audit to be generated even if not specified by the system audit policy. This setting is the default and is automatically applied if neither the /include nor /exclude options are explicitly specified. /exclude Specified with /user; indicates that the user's per-user policy will cause audit to be suppressed regardless of the system audit policy. This setting is not honored for users who are members of the Administrators local group. /category One or more audit categories specified by GUID or name. If no user is specified, the system policy is set. /subcategory One or more audit subcategories specified by GUID or name. If no user is specified, system policy is set. /success Specifies success auditing. This setting is the default and is automatically applied if neither the /success nor /failure options are explicitly specified. This setting must be used with a parameter indicating whether to enable or disable the setting. /failure Specifies failure auditing. This setting must be used with a parameter indicating whether to enable or disable the setting. /option Set the audit policy for CrashOnAuditFail, FullPrivilegeAuditing, AuditBaseObjects or AuditBaseDirectories. /sd Sets the security descriptor used to delegate access to the audit policy. The security descriptor must be specified using SDDL. The security descriptor must have a DACL.%nExample: auditpol /set /user:domain\\user /Category:\"System\" /success:enable /include auditpol /set /subcategory:{0cce9212-69ae-11d9-bed3-505054503030} /failure:disable auditpol /set /option:CrashOnAuditFail /value:enable auditpol /set /sd:D:(A;;DCSWRPDTRC;;;BA)(A;;DCSWRPDTRC;;;SY) |
Usage: AuditPol /set [/user[:|][/include][/exclude]] [/category:|[,:|...]] [/success:|][/failure:|] [/subcategory:|[,:|...]] [/success:|][/failure:|] [/option: /value:|]%nThis command sets the current audit policy.%nCommands /? Help (context-sensitive) /user The security principal for whom per-user audit policy specified by the category/subcategory is set. Either the category or subcategory option must be specified, as a SID or name. /include Specified with /user; indicates that user's per-user policy will cause audit to be generated even if not specified by the system audit policy. This setting is the default and is automatically applied if neither the /include nor /exclude options are explicitly specified. /exclude Specified with /user; indicates that the user's per-user policy will cause audit to be suppressed regardless of the system audit policy. This setting is not honored for users who are members of the Administrators local group. /category One or more audit categories specified by GUID or name. If no user is specified, the system policy is set. /subcategory One or more audit subcategories specified by GUID or name. If no user is specified, system policy is set. /success Specifies success auditing. This setting is the default and is automatically applied if neither the /success nor /failure options are explicitly specified. This setting must be used with a parameter indicating whether to enable or disable the setting. /failure Specifies failure auditing. This setting must be used with a parameter indicating whether to enable or disable the setting. /option Set the audit policy for CrashOnAuditFail, FullPrivilegeAuditing, AuditBaseObjects or AuditBaseDirectories. /sd Sets the security descriptor used to delegate access to the audit policy. The security descriptor must be specified using SDDL. The security descriptor must have a DACL.%nExample: auditpol /set /user:domain\\user /Category:\"System\" /success:enable /include auditpol /set /subcategory:{0cce9212-69ae-11d9-bed3-505054503030} /failure:disable auditpol /set /option:CrashOnAuditFail /value:enable auditpol /set /sd:D:(A;;DCSWRPDTRC;;;BA)(A;;DCSWRPDTRC;;;SY) |
| 0x1004 | Usage: AuditPol /list [/user|/category|/subcategory[:||*] [/v] [/r]%nThis command lists audit policy categories, subcategories, or lists users forwhom per-user audit policy is defined.%nCommands /? Help (context-sensitive) /user Retrieves all users for whom per-user audit policy has been defined. If used with the /v option, the sid of the user is also displayed. /category Displays the names of categories understood by the system. If used with the /v option, the category GUID is also displayed. /subcategory Displays the names of subcategories understood by the system, for subcategories in a specified category. The subcategory GUIDs are also displayed if the /v option is used.%nExample: auditpol /list /user auditpol /list /category /v auditpol /list /subcategory:\"Detailed Tracking\",\"Object Access\" |
Usage: AuditPol /list [/user|/category|/subcategory[:||*] [/v] [/r]%nThis command lists audit policy categories, subcategories, or lists users forwhom per-user audit policy is defined.%nCommands /? Help (context-sensitive) /user Retrieves all users for whom per-user audit policy has been defined. If used with the /v option, the sid of the user is also displayed. /category Displays the names of categories understood by the system. If used with the /v option, the category GUID is also displayed. /subcategory Displays the names of subcategories understood by the system, for subcategories in a specified category. The subcategory GUIDs are also displayed if the /v option is used.%nExample: auditpol /list /user auditpol /list /category /v auditpol /list /subcategory:\"Detailed Tracking\",\"Object Access\" |
| 0x1005 | Usage: AuditPol /clear [/y]This command deletes per-user audit policy for all users, resets systemaudit policy for all subcategories and sets all the auditing options to disabled.%nOptions /? Help (context-sensitive). /y Suppresses the prompt to confirm if all the audit policy should be cleared.%nExample: auditpol /clear auditpol /clear /y |
Usage: AuditPol /clear [/y]This command deletes per-user audit policy for all users, resets systemaudit policy for all subcategories and sets all the auditing options to disabled.%nOptions /? Help (context-sensitive). /y Suppresses the prompt to confirm if all the audit policy should be cleared.%nExample: auditpol /clear auditpol /clear /y |
| 0x1006 | Usage: AuditPol /remove [/user[:|]] [/allusers]%nThis command removes per-user audit policy for a specified account.%nOptions /? Help (context-sensitive). /user Specifies the SID or user name for the user for whom per-user audit policy is to be deleted /allusers Deletes per-user audit policy for all users.%nExample: auditpol /remove /user:{S-1-5-21-397123417-1234567} auditpol /remove /allusers |
Usage: AuditPol /remove [/user[:|]] [/allusers]%nThis command removes per-user audit policy for a specified account.%nOptions /? Help (context-sensitive). /user Specifies the SID or user name for the user for whom per-user audit policy is to be deleted /allusers Deletes per-user audit policy for all users.%nExample: auditpol /remove /user:{S-1-5-21-397123417-1234567} auditpol /remove /allusers |
| 0x1007 | Usage: AuditPol /backup /file:%nThis command backs up system audit policy settings and per-user audit policysettings for all users and all auditing options into a file. The backup willbe written to a CSV-formatted text file.%nOptions /? Help (context-sensitive). /file Specifies the name of the file to which the audit policy will be backed-up.%nExample: auditpol /backup /file:c:\\auditpolicy.csv |
Usage: AuditPol /backup /file:%nThis command backs up system audit policy settings and per-user audit policysettings for all users and all auditing options into a file. The backup willbe written to a CSV-formatted text file.%nOptions /? Help (context-sensitive). /file Specifies the name of the file to which the audit policy will be backed-up.%nExample: auditpol /backup /file:c:\\auditpolicy.csv |
| 0x1008 | Usage: AuditPol /restore /file:%nThis command restores system audit policy settings, per-user audit policysettings for all users and all auditing options from a file created with the/backup command.%nOptions /? Help (context-sensitive). /file Specifies the file where the audit policy should be read from. The file must have been created by the /backup option or must be syntactically consistent with that file format.%nExample: auditpol /restore /file:c:\\auditpolicy.csv |
Usage: AuditPol /restore /file:%nThis command restores system audit policy settings, per-user audit policysettings for all users and all auditing options from a file created with the/backup command.%nOptions /? Help (context-sensitive). /file Specifies the file where the audit policy should be read from. The file must have been created by the /backup option or must be syntactically consistent with that file format.%nExample: auditpol /restore /file:c:\\auditpolicy.csv |
| 0x1009 | Usage: AuditPol /resourceSACL [/set /type: [/success] [/failure] /user: [/access:] [/condition:]] [/remove /type: /user: [/type:]] [/clear [/type:]] [/view [/user:] [/type:]]%nThis command configures settings for global object access auditing. Thecorresponding object access subcategory needs to be enabled for the eventsto be generated by the system. Type auditpol /set /? for more information.%nCommands /? Displays Help for the command. /set Adds a new entry to or updates an existing entry in the resource system access control list for the resource type specified. /remove Removes all entries for the given user from the global object access auditing list specified by the resource type. /clear Removes all entries from the global object access auditing list for the specified resource type. /view Lists the global object access auditing entries for the specified resource type and user. Specifying a user is optional.%nArguments%n/type The resource for which object access auditing is being configured. The supported argument values are File and Key. Note that these values are case sensitive. File: Directories and files. Key: Registry keys./success Specifies success auditing./failure Specifies failure auditing./user Specifies a user in one of the following forms: - DomainName\\Account (such as DOM\\Administrators) - StandaloneServer\\Group - Account (see LookupAccountName API) - {S-1-x-x-x-x}. x is expressed in decimal, and the entire SID must be enclosed in curly braces. For example: {S-1-5-21-5624481-130208933-164394174-1001} Warning: If SID form is used, no check is done to verify the existence of this account./access Specifies a permission mask that can be specified in one of two forms: - A sequence of simple rights: Generic access rights: GA - GENERIC ALL GR - GENERIC READ GW - GENERIC WRITE GX - GENERIC EXECUTE Access rights for files: FA - FILE ALL ACCESS FR - FILE GENERIC READ FW - FILE GENERIC WRITE FX - FILE GENERIC EXECUTE Access rights for registry keys: KA - KEY ALL ACCESS KR - KEY READ KW - KEY WRITE KX - KEY EXECUTE For example: '/access:FRFW' will enable audit events for read and write operations. - A hex value representing the access mask (such as 0x1200a9). This is useful when using resource-specific bit masks that are not part of the SDDL standard. If omitted, Full access is used./condition Appends an attribute based expression like the following: Document sensitivity is HBI (\"High\") \"(@Resource.Sensitivity == \\\"High\\\")\"%nExamples:%n auditpol /resourceSACL /set /type:Key /user:MYDOMAIN\\myuser /success auditpol /resourceSACL /set /type:File /user:MYDOMAIN\\myuser /success /failure /access:FRFW auditpol /resourceSACL /set /type:File /user:everyone /success /failure /access:FRFW /condition:\"(@Resource.Sensitivity == \\\"High\\\")\" auditpol /resourceSACL /type:File /clear auditpol /resourceSACL /remove /type:File /user:{S-1-5-21-56248481-1302087933-1644394174-1001} auditpol /resourceSACL /type:File /view auditpol /resourceSACL /type:File /view /user:MYDOMAIN\\myuser |
Usage: AuditPol /resourceSACL [/set /type: [/success] [/failure] /user: [/access:] [/condition:]] [/remove /type: /user: [/type:]] [/clear [/type:]] [/view [/user:] [/type:]]%nThis command configures settings for global object access auditing. Thecorresponding object access subcategory needs to be enabled for the eventsto be generated by the system. Type auditpol /set /? for more information.%nCommands /? Displays Help for the command. /set Adds a new entry to or updates an existing entry in the resource system access control list for the resource type specified. /remove Removes all entries for the given user from the global object access auditing list specified by the resource type. /clear Removes all entries from the global object access auditing list for the specified resource type. /view Lists the global object access auditing entries for the specified resource type and user. Specifying a user is optional.%nArguments%n/type The resource for which object access auditing is being configured. The supported argument values are File and Key. Note that these values are case sensitive. File: Directories and files. Key: Registry keys./success Specifies success auditing./failure Specifies failure auditing./user Specifies a user in one of the following forms: - DomainName\\Account (such as DOM\\Administrators) - StandaloneServer\\Group - Account (see LookupAccountName API) - {S-1-x-x-x-x}. x is expressed in decimal, and the entire SID must be enclosed in curly braces. For example: {S-1-5-21-5624481-130208933-164394174-1001} Warning: If SID form is used, no check is done to verify the existence of this account./access Specifies a permission mask that can be specified in one of two forms: - A sequence of simple rights: Generic access rights: GA - GENERIC ALL GR - GENERIC READ GW - GENERIC WRITE GX - GENERIC EXECUTE Access rights for files: FA - FILE ALL ACCESS FR - FILE GENERIC READ FW - FILE GENERIC WRITE FX - FILE GENERIC EXECUTE Access rights for registry keys: KA - KEY ALL ACCESS KR - KEY READ KW - KEY WRITE KX - KEY EXECUTE For example: '/access:FRFW' will enable audit events for read and write operations. - A hex value representing the access mask (such as 0x1200a9). This is useful when using resource-specific bit masks that are not part of the SDDL standard. If omitted, Full access is used./condition Appends an attribute based expression like the following: Document sensitivity is HBI (\"High\") \"(@Resource.Sensitivity == \\\"High\\\")\"%nExamples:%n auditpol /resourceSACL /set /type:Key /user:MYDOMAIN\\myuser /success auditpol /resourceSACL /set /type:File /user:MYDOMAIN\\myuser /success /failure /access:FRFW auditpol /resourceSACL /set /type:File /user:everyone /success /failure /access:FRFW /condition:\"(@Resource.Sensitivity == \\\"High\\\")\" auditpol /resourceSACL /type:File /clear auditpol /resourceSACL /remove /type:File /user:{S-1-5-21-56248481-1302087933-1644394174-1001} auditpol /resourceSACL /type:File /view auditpol /resourceSACL /type:File /view /user:MYDOMAIN\\myuser |
| 0x100A | Audit policy is defined for the following user accounts:%n |
Audit policy is defined for the following user accounts:%n |
| 0x100B | User Account%n |
User Account%n |
| 0x100C | SID |
SID |
| 0x100D | No audit policy is defined for the user account.%n |
No audit policy is defined for the user account.%n |
| 0x100E | The command was successfully executed.%n |
The command was successfully executed.%n |
| 0x100F | Audit Policy Security Descriptor: %%s%n |
Audit Policy Security Descriptor: %%s%n |
| 0x1010 | Currently, there is no global SACL for this resource type.%n |
Currently, there is no global SACL for this resource type.%n |
| 0x1011 | Entry: %%luResource Type: %%sUser: %%sFlags: %%sCondition: %%sAccesses: |
Entry: %%luResource Type: %%sUser: %%sFlags: %%sCondition: %%sAccesses: |
| 0x1012 | [Error converting account SID] |
[Error converting account SID] |
| 0x1013 | None |
None |
| 0x1014 | Success |
Success |
| 0x1015 | Failure |
Failure |
| 0x1016 | Success and failure |
Success and failure |
| 0x1017 | Error 0x%%08X occurred:%n%%s%n |
Error 0x%%08X occurred:%n%%s%n |