| 0x1001 | 使用方式: AuditPol command []%n命令 (每次僅允許執行一個命令) /? 說明 (線上即時) /get 顯示目前的稽核原則。 /set 設定稽核原則。 /list 顯示可選取的原則元素。 /backup 將稽核原則儲存至檔案。 /restore 從檔案還原稽核原則。 /clear 清除稽核原則。 /remove 移除使用者帳戶的每個使用者稽核原則。 /resourceSACL 設定全域資源 SACL%n使用 AuditPol /? 可取得每個命令的詳細資料 |
Usage: AuditPol command []%nCommands (only one command permitted per execution) /? Help (context-sensitive) /get Displays the current audit policy. /set Sets the audit policy. /list Displays selectable policy elements. /backup Saves the audit policy to a file. /restore Restores the audit policy from a file. /clear Clears the audit policy. /remove Removes the per-user audit policy for a user account. /resourceSACL Configure global resource SACLs%nUse AuditPol /? for details on each command |
| 0x1002 | 使用方式: AuditPol /get [/user[:|]] [/category:*||[,:|...]] [/subcategory:|[,:|...]] [/option:] [/sd] [/r]%n此命令可顯示目前的稽核原則。%n命令 /? 說明 (線上即時) /user 要查詢之每個使用者的稽核原則的安全性主體。必須指定 /category 或 /subcategory 選項。您必須使用 SID 或名稱來指定使用者。 若未指定使用者帳戶,會查詢系統稽核原則。 /category 以 GUID 或名稱指定的一或多個稽核類別。您可以使用星號 (\"*\") 來表示要查詢所有稽核類別。 /subcategory 以 GUID 或名稱指定的一或多個稽核子類別。 /sd 抓取用來委派存取權給稽核原則的安全性描述元。 /option 抓取 CrashOnAuditFail、FullPrivilegeAuditing、 AuditBaseObjects 或 AuditBaseDirectories 的現有原則。 /r 以報表 (CSV) 格式顯示輸出。%n範例使用方式: auditpol /get /user:domain\\user /Category:\"Detailed Tracking\",\"Object Access\" auditpol /get /Subcategory:{0cce9212-69ae-11d9-bed3-505054503030} /r auditpol /get /option:CrashOnAuditFail auditpol /get /user:{S-1-5-21-397123417-1234567} /Category:\"System\" auditpol /get /sd |
Usage: AuditPol /get [/user[:|]] [/category:*||[,:|...]] [/subcategory:|[,:|...]] [/option:] [/sd] [/r]%nThis command displays the current audit policy.%nCommands /? Help (context-sensitive) /user The security principal for whom the per-user audit policy is queried. Either the /category or /subcategory option must be specified. The user may be specified as a SID or name. If no user account is specified, then the system audit policy is queried. /category One or more audit categories specified by GUID or name. An asterisk (\"*\") may be used to indicate that all audit categories should be queried. /subcategory One or more audit subcategories specified by GUID or name. /sd Retrieves the security descriptor used to delegate access to the audit policy. /option Retrieve existing policy for CrashOnAuditFail, FullPrivilegeAuditing, AuditBaseObjects or AuditBaseDirectories. /r Display the output in report (CSV) format.%nSample usage: auditpol /get /user:domain\\user /Category:\"Detailed Tracking\",\"Object Access\" auditpol /get /Subcategory:{0cce9212-69ae-11d9-bed3-505054503030} /r auditpol /get /option:CrashOnAuditFail auditpol /get /user:{S-1-5-21-397123417-1234567} /Category:\"System\" auditpol /get /sd |
| 0x1003 | 使用方式: AuditPol /set [/user[:|][/include][/exclude]] [/category:|[,:|...]] [/success:|][/failure:|] [/subcategory:|[,:|...]] [/success:|][/failure:|] [/option: /value:|]%n此命令可設定目前的稽核原則。%n命令 /? 說明 (線上即時) /user 已設定類別/子類別之每個使用者的稽核原則指定的安全性主體。 您必須使用 SID 或名稱指定 category/subcategory 選項。 /include 搭配 /user 一起指定; 表示即使系統稽核原則未指定,也會稽核 使用者的每個使用者原則。此設定為預設設定,即使未明確指定 /include 或 /exclude 選項,也會自動套用。 /exclude 搭配 /user 一起指定; 表示不論系統稽核原則為何,都不會稽核 使用者的每個使用者原則。此設定不會套用到屬於本機 Administrators 群組成員的使用者。 /category 以 GUID 或名稱指定的一或多個稽核類別。 若未指定任何使用者,會設定系統原則。 /subcategory 以 GUID 或名稱指定的一或多個稽核子類別。 若未指定任何使用者,會設定系統原則。 /success 指定成功時稽核。此設定為預設設定,若未明確指定 /success 或 /failure 選項,也會自動套用。此設定必須搭配參數使用,以指示 是要啟用或停用 (enable 或 disable) 該設定。 /failure 指定失敗時稽核。此設定必須搭配參數使用,以指示是要啟用或 停用 (enable 或 disable) 該設定。 /option 設定 CrashOnAuditFail、FullPrivilegeAuditing、 AuditBaseObjects 或 AuditBaseDirectories 的稽核原則。 /sd 設定用於委派存取權至稽核原則的安全性描述元。安全性描述元必須 使用 SDDL 來指定。安全性描述元必須具有 DACL。%n範例使用方式: auditpol /set /user:domain\\user /Category:\"System\" /success:enable /include auditpol /set /subcategory:{0cce9212-69ae-11d9-bed3-505054503030} /failure:disable auditpol /set /option:CrashOnAuditFail /value:enable auditpol /set /sd:D:(A;;DCSWRPDTRC;;;BA)(A;;DCSWRPDTRC;;;SY) |
Usage: AuditPol /set [/user[:|][/include][/exclude]] [/category:|[,:|...]] [/success:|][/failure:|] [/subcategory:|[,:|...]] [/success:|][/failure:|] [/option: /value:|]%nThis command sets the current audit policy.%nCommands /? Help (context-sensitive) /user The security principal for whom per-user audit policy specified by the category/subcategory is set. Either the category or subcategory option must be specified, as a SID or name. /include Specified with /user; indicates that user's per-user policy will cause audit to be generated even if not specified by the system audit policy. This setting is the default and is automatically applied if neither the /include nor /exclude options are explicitly specified. /exclude Specified with /user; indicates that the user's per-user policy will cause audit to be suppressed regardless of the system audit policy. This setting is not honored for users who are members of the Administrators local group. /category One or more audit categories specified by GUID or name. If no user is specified, the system policy is set. /subcategory One or more audit subcategories specified by GUID or name. If no user is specified, system policy is set. /success Specifies success auditing. This setting is the default and is automatically applied if neither the /success nor /failure options are explicitly specified. This setting must be used with a parameter indicating whether to enable or disable the setting. /failure Specifies failure auditing. This setting must be used with a parameter indicating whether to enable or disable the setting. /option Set the audit policy for CrashOnAuditFail, FullPrivilegeAuditing, AuditBaseObjects or AuditBaseDirectories. /sd Sets the security descriptor used to delegate access to the audit policy. The security descriptor must be specified using SDDL. The security descriptor must have a DACL.%nExample: auditpol /set /user:domain\\user /Category:\"System\" /success:enable /include auditpol /set /subcategory:{0cce9212-69ae-11d9-bed3-505054503030} /failure:disable auditpol /set /option:CrashOnAuditFail /value:enable auditpol /set /sd:D:(A;;DCSWRPDTRC;;;BA)(A;;DCSWRPDTRC;;;SY) |
| 0x1004 | 使用方式: AuditPol /list [/user|/category|/subcategory[:||*] [/v] [/r]%n此命令可列出稽核原則類別、子類別或選項,或列出已定義每個使用者稽核原則的使用者。%n命令 /? 說明 (線上即時) /user 抓取已定義每個使用者稽核原則的所有使用者。若搭配 /v 選項使 用,也會顯示使用者的 SID。 /category 顯示系統已知的類別名稱。若搭配 /v 選項使用,也會顯示類別 GUID。 /subcategory 對於位於指定類別中的子類別,顯示指定之系統已知的子類別名稱。 若搭配 /v 選項使用,也會顯示子類別 GUID。%n範例: auditpol /list /user auditpol /list /category /v auditpol /list /subcategory:\"Detailed Tracking\",\"Object Access\" |
Usage: AuditPol /list [/user|/category|/subcategory[:||*] [/v] [/r]%nThis command lists audit policy categories, subcategories, or lists users forwhom per-user audit policy is defined.%nCommands /? Help (context-sensitive) /user Retrieves all users for whom per-user audit policy has been defined. If used with the /v option, the sid of the user is also displayed. /category Displays the names of categories understood by the system. If used with the /v option, the category GUID is also displayed. /subcategory Displays the names of subcategories understood by the system, for subcategories in a specified category. The subcategory GUIDs are also displayed if the /v option is used.%nExample: auditpol /list /user auditpol /list /category /v auditpol /list /subcategory:\"Detailed Tracking\",\"Object Access\" |
| 0x1005 | 使用方式: AuditPol /clear [/y]此命令會刪除所有使用者的每個使用者稽核原則,重設所有子類別的系統稽核原則,並將所有稽核選項設定為停用。%n選項 /? 說明 (線上即時)。 /y 抑制清除所有稽核原則時的確認提示。%n範例: auditpol /clear auditpol /clear /y |
Usage: AuditPol /clear [/y]This command deletes per-user audit policy for all users, resets systemaudit policy for all subcategories and sets all the auditing options to disabled.%nOptions /? Help (context-sensitive). /y Suppresses the prompt to confirm if all the audit policy should be cleared.%nExample: auditpol /clear auditpol /clear /y |
| 0x1006 | 使用方式: AuditPol /remove [/user[:|]] [/allusers]%n這個命令可移除指定之帳戶的每個使用者稽核原則。%n選項 /? 說明 (線上即時)。 /user 指定要刪除每個使用者稽核原則之使用者的 SID 或使用者名稱 /allusers 刪除所有使用者的每個使用者稽核原則。%n範例: auditpol /remove /user:{S-1-5-21-397123417-1234567} auditpol /remove /allusers |
Usage: AuditPol /remove [/user[:|]] [/allusers]%nThis command removes per-user audit policy for a specified account.%nOptions /? Help (context-sensitive). /user Specifies the SID or user name for the user for whom per-user audit policy is to be deleted /allusers Deletes per-user audit policy for all users.%nExample: auditpol /remove /user:{S-1-5-21-397123417-1234567} auditpol /remove /allusers |
| 0x1007 | 使用方式: AuditPol /backup /file:%n此命令可將所有使用者的系統稽核原則設定與每個使用者稽核原則設定與所有稽核選項備份到檔案中。備份會寫入 CSV 格式的文字檔。%n選項 /? 說明 (線上即時)。 /file 指定要用來備份稽核原則之檔案的名稱。%n範例: auditpol /backup /file:c:\\auditpolicy.csv |
Usage: AuditPol /backup /file:%nThis command backs up system audit policy settings and per-user audit policysettings for all users and all auditing options into a file. The backup willbe written to a CSV-formatted text file.%nOptions /? Help (context-sensitive). /file Specifies the name of the file to which the audit policy will be backed-up.%nExample: auditpol /backup /file:c:\\auditpolicy.csv |
| 0x1008 | 使用方式: AuditPol /restore /file:%n此命令可將使用 /backup 命令備份之所有使用者的系統稽核原則設定、每個使用者稽核原則設定與所有稽核選項,從檔案還原到系統。%n選項 /? 說明 (線上即時)。 /file 指定要從哪個檔案讀取備份的稽核原則。該檔案必須是使用 /backup 選項所建立,或是其語法必須符合該檔案格式。%n範例: auditpol /restore /file:c:\\auditpolicy.csv |
Usage: AuditPol /restore /file:%nThis command restores system audit policy settings, per-user audit policysettings for all users and all auditing options from a file created with the/backup command.%nOptions /? Help (context-sensitive). /file Specifies the file where the audit policy should be read from. The file must have been created by the /backup option or must be syntactically consistent with that file format.%nExample: auditpol /restore /file:c:\\auditpolicy.csv |
| 0x1009 | 使用方式: AuditPol /resourceSACL [/set /type: [/success] [/failure] /user: [/access:] [/condition:]] [/remove /type: /user: [/type:]] [/clear [/type:]] [/view [/user:] [/type:]]%n這個命令會設定全域物件存取稽核設定。需要啟用相應的物件存取子類別,系統才能產生事件。請輸入 'auditpol /set /?' 以取得詳細資訊。%n命令 /? 顯示本命令的說明。 /set 為指定的資源類型,將新的項目新增至資源系統存取 控制清單 或更新其中的現有項目。 /remove 從資源類型指定的全域物件存取稽核清單中,移除 指定使用者的所有項目。 /clear 從指定資源類型的全域物件存取稽核清單中移除所有 項目。 /view 列出指定的資源類型及使用者的全域物件存取稽核 項目。您可以選擇性地指定使用者。%n引數%n/type 為其設定物件存取稽核的資源。 支援的引數值為 File 與 Key。請注意,這些值區分 大小寫。 File: 目錄和檔案。 Key: 登錄機碼。/success 指定成功稽核。/failure 指定失敗稽核。/user 用以下其中一種方式來指定使用者: - DomainName\\Account (例如 DOM\\Administrators) - StandaloneServer\\Group - Account (請參閱 LookupAccountName API) - {S-1-x-x-x-x}。x 是以十進位表示,而整個 SID 必須 以大括號括住。 例如: {S-1-5-21-5624481-130208933-164394174-1001} 警告: 若使用 SID 格式,不會做任何檢查 來確認此帳戶是否存在。/access 指定權限遮罩,這可以用以下其中一種方式來指定: - 簡易權限的順序: 泛用存取權限: GA - GENERIC ALL GR - GENERIC READ GW - GENERIC WRITE GX - GENERIC EXECUTE 檔案存取權限: FA - FILE ALL ACCESS FR - FILE GENERIC READ FW - FILE GENERIC WRITE FX - FILE GENERIC EXECUTE 登錄存取權限: KA - KEY ALL ACCESS KR - KEY READ KW - KEY WRITE KX - KEY EXECUTE 例如:'/access:FRFW' 會為讀取與寫入作業來 啟用稽核事件。 - 十六進位值,代表存取遮罩 (例如,0x1200a9)。 使用資源特定位元遮罩時而且不是屬於 SDDL 標準時,十分有用。如果遺漏,則使用完整存取。/condition 附加以屬性為基礎的運算式,例如: Document sensitivity is HBI (\"High\") \"(@Resource.Sensitivity == \\\"High\\\")\"%n範例:%n auditpol /resourceSACL /set /type:Key /user:MYDOMAIN\\myuser /success auditpol /resourceSACL /set /type:File /user:MYDOMAIN\\myuser /success /failure /access:FRFW auditpol /resourceSACL /set /type:File /user:everyone /success /failure /access:FRFW /condition:\"(@Resource.Sensitivity == \\\"High\\\")\" auditpol /resourceSACL /type:File /clear auditpol /resourceSACL /remove /type:File /user:{S-1-5-21-56248481-1302087933-1644394174-1001} auditpol /resourceSACL /type:File /view auditpol /resourceSACL /type:File /view /user:MYDOMAIN\\myuser |
Usage: AuditPol /resourceSACL [/set /type: [/success] [/failure] /user: [/access:] [/condition:]] [/remove /type: /user: [/type:]] [/clear [/type:]] [/view [/user:] [/type:]]%nThis command configures settings for global object access auditing. Thecorresponding object access subcategory needs to be enabled for the eventsto be generated by the system. Type auditpol /set /? for more information.%nCommands /? Displays Help for the command. /set Adds a new entry to or updates an existing entry in the resource system access control list for the resource type specified. /remove Removes all entries for the given user from the global object access auditing list specified by the resource type. /clear Removes all entries from the global object access auditing list for the specified resource type. /view Lists the global object access auditing entries for the specified resource type and user. Specifying a user is optional.%nArguments%n/type The resource for which object access auditing is being configured. The supported argument values are File and Key. Note that these values are case sensitive. File: Directories and files. Key: Registry keys./success Specifies success auditing./failure Specifies failure auditing./user Specifies a user in one of the following forms: - DomainName\\Account (such as DOM\\Administrators) - StandaloneServer\\Group - Account (see LookupAccountName API) - {S-1-x-x-x-x}. x is expressed in decimal, and the entire SID must be enclosed in curly braces. For example: {S-1-5-21-5624481-130208933-164394174-1001} Warning: If SID form is used, no check is done to verify the existence of this account./access Specifies a permission mask that can be specified in one of two forms: - A sequence of simple rights: Generic access rights: GA - GENERIC ALL GR - GENERIC READ GW - GENERIC WRITE GX - GENERIC EXECUTE Access rights for files: FA - FILE ALL ACCESS FR - FILE GENERIC READ FW - FILE GENERIC WRITE FX - FILE GENERIC EXECUTE Access rights for registry keys: KA - KEY ALL ACCESS KR - KEY READ KW - KEY WRITE KX - KEY EXECUTE For example: '/access:FRFW' will enable audit events for read and write operations. - A hex value representing the access mask (such as 0x1200a9). This is useful when using resource-specific bit masks that are not part of the SDDL standard. If omitted, Full access is used./condition Appends an attribute based expression like the following: Document sensitivity is HBI (\"High\") \"(@Resource.Sensitivity == \\\"High\\\")\"%nExamples:%n auditpol /resourceSACL /set /type:Key /user:MYDOMAIN\\myuser /success auditpol /resourceSACL /set /type:File /user:MYDOMAIN\\myuser /success /failure /access:FRFW auditpol /resourceSACL /set /type:File /user:everyone /success /failure /access:FRFW /condition:\"(@Resource.Sensitivity == \\\"High\\\")\" auditpol /resourceSACL /type:File /clear auditpol /resourceSACL /remove /type:File /user:{S-1-5-21-56248481-1302087933-1644394174-1001} auditpol /resourceSACL /type:File /view auditpol /resourceSACL /type:File /view /user:MYDOMAIN\\myuser |
| 0x100A | 已針對下列使用者帳戶定義稽核原則:%n |
Audit policy is defined for the following user accounts:%n |
| 0x100B | 使用者帳戶%n |
User Account%n |
| 0x100C | SID |
SID |
| 0x100D | 沒有為該使用者帳戶定義稽核原則。%n |
No audit policy is defined for the user account.%n |
| 0x100E | 已順利執行命令。%n |
The command was successfully executed.%n |
| 0x100F | 稽核原則安全性描述元: %%s%n |
Audit Policy Security Descriptor: %%s%n |
| 0x1010 | 此資源類型目前沒有全域 SACL。%n |
Currently, there is no global SACL for this resource type.%n |
| 0x1011 | 輸入項目: %%lu資源類型: %%s使用者: %%s旗標: %%s條件: %%s存取權: |
Entry: %%luResource Type: %%sUser: %%sFlags: %%sCondition: %%sAccesses: |
| 0x1012 | [轉換帳戶 SID 時發生錯誤] |
[Error converting account SID] |
| 0x1013 | 無 |
None |
| 0x1014 | 成功 |
Success |
| 0x1015 | 失敗 |
Failure |
| 0x1016 | 成功與失敗 |
Success and failure |
| 0x1017 | 發生錯誤 0x%%08X:%n%%s%n |
Error 0x%%08X occurred:%n%%s%n |