Description
This article provides the step-by-step details about Auditpol command usage and examples to get and set Security Audit settings as category and sub category level (Advanced Audit Configuration).
Usage of Auditpol command
Auditpol.exe is the command line utility tool to change Audit Security settings as category and sub-category level. It is available by default Windows 2008 R2 and later versions/Windows 7 and later versions. By using Auditpol, we can get/set Audit Security settings per user level and computer level.
Note: You should run Auditpol command with elevated privilege (Run As Administrator);
Usage: AuditPol command [<sub-command><options>]
Commands (only one command permitted per execution)
/? Help (context-sensitive)
/get Displays the current audit policy.
/set Sets the audit policy.
/list Displays selectable policy elements.
/backup Saves the audit policy to a file.
/restore Restores the audit policy from a file.
/clear Clears the audit policy.
/remove Removes the per-user audit policy for a user account.
/resourceSACL Configure global resource SACLs
Auditpol Command Examples
Lists all the settings
Auditpol /get /category:*
Lists only the Account Management category settings.
Auditpol /get /category:"Account Management"
Lists only the User Account Management subcategory setting.
Auditpol /get /subcategory:"User Account Management"
Set the Account Management category setting as success.
Auditpol /set /category:"Account Management" /success:enable
Set the Account Management category setting as failure.
Auditpol /set /category:"Account Management" /failure:enable
Disable/Remove success setting of the Account Management category.
Auditpol /set /category:"Account Management" /success:disable
Disable/Remove failure setting of the Account Management category.
Auditpol /set /category:"Account Management" /failure:disable
Set only the subcategory setting User Account Management as success.
Auditpol /set /subcategory:"User Account Management" /success:enable
Set only the subcategory setting User Account Management as failure.
Auditpol /set /subcategory:"User Account Management" /failure:enable
Lists Detailed Tracking category settings only for the user Administrator.
Auditpol /get /user:Administrator /category:"Detailed Tracking"
Set Detailed Tracking category setting as success only for the user Administrator.
Auditpol /set /user:Administrator /category:"Detailed Tracking" /success:enable
Thanks,
Morgan
Software Developer
How would I set this up to loop through all subcategories and set success/failure for each one?
How do I apply the audit command to only one file? It’s like working on a GUI. For example, File-Properties-Security-Audit-File Write Audit: Success. How do I do this on the command line?