| 0x1001 | 用法: AuditPol command []%n命令 (每次执行仅允许一个命令) /? 帮助(与上下文相关) /get 显示当前审核策略。 /set 设置审核策略。 /list 显示可选择的策略元素。 /backup 将审核策略保存到文件。 /restore 将审核策略从文件还原。 /clear 清除审核策略。 /remove 删除用户帐户的每用户审核策略。 /resourceSACL 配置全局资源 SACL%n有关每个命令的详细信息,请使用 AuditPol /? |
Usage: AuditPol command []%nCommands (only one command permitted per execution) /? Help (context-sensitive) /get Displays the current audit policy. /set Sets the audit policy. /list Displays selectable policy elements. /backup Saves the audit policy to a file. /restore Restores the audit policy from a file. /clear Clears the audit policy. /remove Removes the per-user audit policy for a user account. /resourceSACL Configure global resource SACLs%nUse AuditPol /? for details on each command |
| 0x1002 | 用法: AuditPol /get [/user[:|]] [/category:*||[,:|...]] [/subcategory:|[,:|...]] [/option:] [/sd] [/r]%n此命令显示当前审核策略。%n命令 /? 帮助(与上下文相关) /user 为其查询每用户审核策略的安全主体。 必须指定 /category 或 /subcategory 选项。 可以将用户指定为 SID 或名称。如果未指定 用户帐户,则查询系统审核 策略。 /category GUID 或名称指定的一个或多个审核类别。 可以使用星号(\"*\")表示应该查询所有 审核类别。 /subcategory GUID 或名称指定的一个或多个 审核子类别。 /sd 检索用于将访问委派到审核策略的 安全描述符。 /option 检索 CrashOnAuditFail、 FullPrivilegeAuditing、AuditBaseObjects 或 AuditBaseDirectories 的现有策略。 /r 以报告(CSV)格式显示输出。%n示例用法: auditpol /get /user:domain\\user /Category:\"Detailed Tracking\",\"Object Access\" auditpol /get /Subcategory:{0cce9212-69ae-11d9-bed3-505054503030} /r auditpol /get /option:CrashOnAuditFail auditpol /get /user:{S-1-5-21-397123417-1234567} /Category:\"System\" auditpol /get /sd |
Usage: AuditPol /get [/user[:|]] [/category:*||[,:|...]] [/subcategory:|[,:|...]] [/option:] [/sd] [/r]%nThis command displays the current audit policy.%nCommands /? Help (context-sensitive) /user The security principal for whom the per-user audit policy is queried. Either the /category or /subcategory option must be specified. The user may be specified as a SID or name. If no user account is specified, then the system audit policy is queried. /category One or more audit categories specified by GUID or name. An asterisk (\"*\") may be used to indicate that all audit categories should be queried. /subcategory One or more audit subcategories specified by GUID or name. /sd Retrieves the security descriptor used to delegate access to the audit policy. /option Retrieve existing policy for CrashOnAuditFail, FullPrivilegeAuditing, AuditBaseObjects or AuditBaseDirectories. /r Display the output in report (CSV) format.%nSample usage: auditpol /get /user:domain\\user /Category:\"Detailed Tracking\",\"Object Access\" auditpol /get /Subcategory:{0cce9212-69ae-11d9-bed3-505054503030} /r auditpol /get /option:CrashOnAuditFail auditpol /get /user:{S-1-5-21-397123417-1234567} /Category:\"System\" auditpol /get /sd |
| 0x1003 | 用法: AuditPol /set [/user[:|][/include][/exclude]] [/category:|[,:|...]] [/success:|][/failure:|] [/subcategory:|[,:|...]] [/success:|][/failure:|] [/option: /value:|]%n此命令设置当前审核策略。%n命令 /? 帮助(与上下文相关) /user 为其设置类别/子类别指 定的每用户审核策略的安全主体。必 须指定类别或子类别选项,作为 SID 或名称。 /include 与 /user 一起指定;表示用户的 每用户策略将导致生成审核,即 使不由系统审核策略指定。此设置 是默认设置,如果未显式指定 /include 或 /exclude 选项,则自动应用此设置。 /exclude 与 /user 一起指定;表示无论系 统审核策略如何,用户的每用户策 略将导致审核被取消。属于 Administrators 本地组成员的用户不推荐此设置。 /category GUID 或名称指定的一个或多个审核类别。 如果未指定用户,则设置系统策略。 /subcategory GUID 或名称指定的一个或多个审核子类别。 如果未指定用户,则设置系统策略。 /success 指定成功审核。此设置是默认设置,如果 未显示指定 /success 或 /failure 选 项,则自动应用此设置。此设置必须与 表明是启用还是禁用设置 的参数共同使用。 /failure 指定失败审核。此设置必须与 enable 或 disable 参数一起 使用,指定启用或禁用设置。 /option 设置 CrashOnAuditFail、FullPrivilegeAuditing、 AuditBaseObjects 或 AuditBaseDirectories 的 审核策略。 /sd 设置用于将访问委派到审核策略的安全 描述符。必须使用 SDDL 指定安全描述 符。安全描述符必须 具有 DACL。%n示例: auditpol /set /user:domain\\user /Category:\"System\" /success:enable /include auditpol /set /subcategory:{0cce9212-69ae-11d9-bed3-505054503030} /failure:disable auditpol /set /option:CrashOnAuditFail /value:enable auditpol /set /sd:D:(A;;DCSWRPDTRC;;;BA)(A;;DCSWRPDTRC;;;SY) |
Usage: AuditPol /set [/user[:|][/include][/exclude]] [/category:|[,:|...]] [/success:|][/failure:|] [/subcategory:|[,:|...]] [/success:|][/failure:|] [/option: /value:|]%nThis command sets the current audit policy.%nCommands /? Help (context-sensitive) /user The security principal for whom per-user audit policy specified by the category/subcategory is set. Either the category or subcategory option must be specified, as a SID or name. /include Specified with /user; indicates that user's per-user policy will cause audit to be generated even if not specified by the system audit policy. This setting is the default and is automatically applied if neither the /include nor /exclude options are explicitly specified. /exclude Specified with /user; indicates that the user's per-user policy will cause audit to be suppressed regardless of the system audit policy. This setting is not honored for users who are members of the Administrators local group. /category One or more audit categories specified by GUID or name. If no user is specified, the system policy is set. /subcategory One or more audit subcategories specified by GUID or name. If no user is specified, system policy is set. /success Specifies success auditing. This setting is the default and is automatically applied if neither the /success nor /failure options are explicitly specified. This setting must be used with a parameter indicating whether to enable or disable the setting. /failure Specifies failure auditing. This setting must be used with a parameter indicating whether to enable or disable the setting. /option Set the audit policy for CrashOnAuditFail, FullPrivilegeAuditing, AuditBaseObjects or AuditBaseDirectories. /sd Sets the security descriptor used to delegate access to the audit policy. The security descriptor must be specified using SDDL. The security descriptor must have a DACL.%nExample: auditpol /set /user:domain\\user /Category:\"System\" /success:enable /include auditpol /set /subcategory:{0cce9212-69ae-11d9-bed3-505054503030} /failure:disable auditpol /set /option:CrashOnAuditFail /value:enable auditpol /set /sd:D:(A;;DCSWRPDTRC;;;BA)(A;;DCSWRPDTRC;;;SY) |
| 0x1004 | 用法: AuditPol /list [/user|/category|/subcategory[:||*] [/v] [/r]%n此命令列出审核策略类别、子类别,或列出为其定义每用户审核策略的用户。%n命令 /? 帮助(与上下文相关) /user 检索为其定义每用户审核策略的所有用户。 如果与 /v 选项共同使用,则同时显示用 户的 SID。 /category 显示系统理解的类别的名称。 如果与 /v 选项共同使用,则 同时显示类别 GUID。 /subcategory 显示系统理解的子类别名称, 用于指定类别中的子类别。 如果使用 /v 选项,则同时 显示子类别 GUID。%n示例: auditpol /list /user auditpol /list /category /v auditpol /list /subcategory:\"Detailed Tracking\",\"Object Access\" |
Usage: AuditPol /list [/user|/category|/subcategory[:||*] [/v] [/r]%nThis command lists audit policy categories, subcategories, or lists users forwhom per-user audit policy is defined.%nCommands /? Help (context-sensitive) /user Retrieves all users for whom per-user audit policy has been defined. If used with the /v option, the sid of the user is also displayed. /category Displays the names of categories understood by the system. If used with the /v option, the category GUID is also displayed. /subcategory Displays the names of subcategories understood by the system, for subcategories in a specified category. The subcategory GUIDs are also displayed if the /v option is used.%nExample: auditpol /list /user auditpol /list /category /v auditpol /list /subcategory:\"Detailed Tracking\",\"Object Access\" |
| 0x1005 | 用法: AuditPol /clear [/y]此命令删除所有用户的每用户审核策略,重置所有子类别的系统审核策略,并将所有审核选项设置为禁用。%n选项 /? 帮助(与上下文相关)。 /y 取消确认是否应清除 所有审核策略的提示。%n示例: auditpol /clear auditpol /clear /y |
Usage: AuditPol /clear [/y]This command deletes per-user audit policy for all users, resets systemaudit policy for all subcategories and sets all the auditing options to disabled.%nOptions /? Help (context-sensitive). /y Suppresses the prompt to confirm if all the audit policy should be cleared.%nExample: auditpol /clear auditpol /clear /y |
| 0x1006 | 用法: AuditPol /remove [/user[:|]] [/allusers]%n此命令删除指定帐户的每用户审核策略。%n选项 /? 帮助(与上下文相关)。 /user 指定要为其删除每用户审核策略 的用户的 SID 或用户名 /allusers 删除所有用户的每用户审核策略。%n示例: auditpol /remove /user:{S-1-5-21-397123417-1234567} auditpol /remove /allusers |
Usage: AuditPol /remove [/user[:|]] [/allusers]%nThis command removes per-user audit policy for a specified account.%nOptions /? Help (context-sensitive). /user Specifies the SID or user name for the user for whom per-user audit policy is to be deleted /allusers Deletes per-user audit policy for all users.%nExample: auditpol /remove /user:{S-1-5-21-397123417-1234567} auditpol /remove /allusers |
| 0x1007 | 用法: AuditPol /backup /file:%n此命令将系统审核策略设置、所有用户的每用户审核策略设置和所有审核选项备份到一个文件。备份将写入到CSV 格式的文本文件。%n选项 /? 帮助(与上下文相关)。 /file 指定审核策略将备份到的文件的名称。%n示例: auditpol /backup /file:c:\\auditpolicy.csv |
Usage: AuditPol /backup /file:%nThis command backs up system audit policy settings and per-user audit policysettings for all users and all auditing options into a file. The backup willbe written to a CSV-formatted text file.%nOptions /? Help (context-sensitive). /file Specifies the name of the file to which the audit policy will be backed-up.%nExample: auditpol /backup /file:c:\\auditpolicy.csv |
| 0x1008 | 用法: AuditPol /restore /file:%n此命令将从使用 /backup 命令创建的文件中还原系统审核策略设置、所有用户的每用户审核策略设置和所有审核选项。%n选项 /? 帮助(与上下文相关)。 /file 指定应从其读取审核策略的文件。 文件必须已经由 /backup 选项创建, 或必须与该文件格式语法一致。%n示例: auditpol /restore /file:c:\\auditpolicy.csv |
Usage: AuditPol /restore /file:%nThis command restores system audit policy settings, per-user audit policysettings for all users and all auditing options from a file created with the/backup command.%nOptions /? Help (context-sensitive). /file Specifies the file where the audit policy should be read from. The file must have been created by the /backup option or must be syntactically consistent with that file format.%nExample: auditpol /restore /file:c:\\auditpolicy.csv |
| 0x1009 | 用法: AuditPol /resourceSACL [/set /type: [/success] [/failure] /user: [/access:] [/condition:]] [/remove /type: /user: [/type:]] [/clear [/type:]] [/view [/user:] [/type:]]%n此命令为全局对象访问审核配置设置。需要为系统生成的事件启用相应的对象访问子类别。请键入 auditpol /set /? 获取详细信息。%n命令 /? 显示命令的帮助。 /set 在资源系统访问控制列表中 为指定的资源类型添加新条目 或更新现有条目。 /remove 从按照资源类型指定的全局对象访问审核列表中 删除给定用户的所有 条目。 /clear 从全局对象访问审核列表中 为指定的资源类型删除所有条目。 /view 针对指定的资源类型和用户 列出全局对象访问审核条目。 指定用户是可选的。%n参数%n/type 正在为其配置对象访问审核 的资源。支持的参数值为 File 和 Key。请注意,这些值区分大小写。 File: 目录和文件。 Key: 注册表项。/success 指定成功审核。/failure 指定失败审核。/user 使用下列形式之一指定用户: - DomainName\\Account (如 DOM\\Administrators) - StandaloneServer\\Group - Account (参见 LookupAccountName API) - {S-1-x-x-x-x}. x 以十进制表示,且整个 SID 必须放在大括号中。 例如: {S-1-5-21-5624481-130208933-164394174-1001} 警告: 如果使用 SID 形式,则不执行任何检查来验证 此帐户的存在。/access 指定可用以下两种形式之一 指定的权限掩码: - 简单权限序列: 一般访问权限: GA - 一般完全权限 GR - 一般读取权限 GW - 一般写入权限 GX - 一般执行权限 文件访问权限: FA - 文件完全访问权限 FR - 文件一般读取权限 FW - 文件一般写入权限 FX - 文件一般执行权限 注册表项访问权限: KA - 注册表项完全访问权限 KR - 注册表项读取权限 KW - 注册表项写入权限 KX - 注册表项执行权限 例如: \"/access:FRFW\" 将启用审核事件的 读写操作。 - 表示访问掩码的十六进制值(如 0x1200a9)。 在使用非 SDDL 标准的、特定于资源的位掩码时, 这非常有用。如果省略, 则使用完全访问权限。/condition 基于以下表达式附加一个属性: 文档敏感度为 HBI (“高”) \"(@Resource.Sensitivity == \\\"High\\\")\"%n示例::%n auditpol /resourceSACL /set /type:Key /user:MYDOMAIN\\myuser /success auditpol /resourceSACL /set /type:File /user:MYDOMAIN\\myuser /success /failure /access:FRFW auditpol /resourceSACL /set /type:File /user:everyone /success /failure /access:FRFW /condition:\"(@Resource.Sensitivity == \\\"High\\\")\" auditpol /resourceSACL /type:File /clear auditpol /resourceSACL /remove /type:File /user:{S-1-5-21-56248481-1302087933-1644394174-1001} auditpol /resourceSACL /type:File /view auditpol /resourceSACL /type:File /view /user:MYDOMAIN\\myuser |
Usage: AuditPol /resourceSACL [/set /type: [/success] [/failure] /user: [/access:] [/condition:]] [/remove /type: /user: [/type:]] [/clear [/type:]] [/view [/user:] [/type:]]%nThis command configures settings for global object access auditing. Thecorresponding object access subcategory needs to be enabled for the eventsto be generated by the system. Type auditpol /set /? for more information.%nCommands /? Displays Help for the command. /set Adds a new entry to or updates an existing entry in the resource system access control list for the resource type specified. /remove Removes all entries for the given user from the global object access auditing list specified by the resource type. /clear Removes all entries from the global object access auditing list for the specified resource type. /view Lists the global object access auditing entries for the specified resource type and user. Specifying a user is optional.%nArguments%n/type The resource for which object access auditing is being configured. The supported argument values are File and Key. Note that these values are case sensitive. File: Directories and files. Key: Registry keys./success Specifies success auditing./failure Specifies failure auditing./user Specifies a user in one of the following forms: - DomainName\\Account (such as DOM\\Administrators) - StandaloneServer\\Group - Account (see LookupAccountName API) - {S-1-x-x-x-x}. x is expressed in decimal, and the entire SID must be enclosed in curly braces. For example: {S-1-5-21-5624481-130208933-164394174-1001} Warning: If SID form is used, no check is done to verify the existence of this account./access Specifies a permission mask that can be specified in one of two forms: - A sequence of simple rights: Generic access rights: GA - GENERIC ALL GR - GENERIC READ GW - GENERIC WRITE GX - GENERIC EXECUTE Access rights for files: FA - FILE ALL ACCESS FR - FILE GENERIC READ FW - FILE GENERIC WRITE FX - FILE GENERIC EXECUTE Access rights for registry keys: KA - KEY ALL ACCESS KR - KEY READ KW - KEY WRITE KX - KEY EXECUTE For example: '/access:FRFW' will enable audit events for read and write operations. - A hex value representing the access mask (such as 0x1200a9). This is useful when using resource-specific bit masks that are not part of the SDDL standard. If omitted, Full access is used./condition Appends an attribute based expression like the following: Document sensitivity is HBI (\"High\") \"(@Resource.Sensitivity == \\\"High\\\")\"%nExamples:%n auditpol /resourceSACL /set /type:Key /user:MYDOMAIN\\myuser /success auditpol /resourceSACL /set /type:File /user:MYDOMAIN\\myuser /success /failure /access:FRFW auditpol /resourceSACL /set /type:File /user:everyone /success /failure /access:FRFW /condition:\"(@Resource.Sensitivity == \\\"High\\\")\" auditpol /resourceSACL /type:File /clear auditpol /resourceSACL /remove /type:File /user:{S-1-5-21-56248481-1302087933-1644394174-1001} auditpol /resourceSACL /type:File /view auditpol /resourceSACL /type:File /view /user:MYDOMAIN\\myuser |
| 0x100A | 为下列用户帐户定义了审核策略:%n |
Audit policy is defined for the following user accounts:%n |
| 0x100B | 用户帐户%n |
User Account%n |
| 0x100C | SID |
SID |
| 0x100D | 没有为该用户帐户定义审核策略。%n |
No audit policy is defined for the user account.%n |
| 0x100E | 命令成功执行。%n |
The command was successfully executed.%n |
| 0x100F | 审核策略安全描述符: %%s%n |
Audit Policy Security Descriptor: %%s%n |
| 0x1010 | 当前没有此资源类型的全局 SACL。%n |
Currently, there is no global SACL for this resource type.%n |
| 0x1011 | 项目: %%lu资源类型: %%s用户: %%s标志: %%s条件: %%s访问: |
Entry: %%luResource Type: %%sUser: %%sFlags: %%sCondition: %%sAccesses: |
| 0x1012 | [转换帐户 SID 时出错] |
[Error converting account SID] |
| 0x1013 | 无 |
None |
| 0x1014 | 成功 |
Success |
| 0x1015 | 失败 |
Failure |
| 0x1016 | 成功和失败 |
Success and failure |
| 0x1017 | 发生错误 0x%%08X:%n%%s%n |
Error 0x%%08X occurred:%n%%s%n |