Advanced audit policy in windows using auditpol.exe

Its preferred to set the advanced audit policy through command prompt/powershell other than GUI. It has to be noted that even after you apply the settings through command, in the gui it might not reflect. But that is not an issue. Thats as far as i know.

Open gpedit.msc/secpol.msc 

  • Computer configuration-security settings-security options
  • Set the policy “Audit:Force audit policy subcategory settings (windows vista or later) to override audit policy category settings” to “Enabled”.

To get full information of advanced audit policy on a server, use the command

  • Auditpol.exe /get /category:*

In that you can see categories and sub categories listed with the status success/failure/not configured.

Few examples below :

  • Auditpol.exe /set /subcategory:”credential validation” /success:enable /failure:enable

The below command will enable only success

  • Auditpol.exe /set /subcategory:”credential validation” /success:enable 

The below commmand will set credential validation to “no auditing”

  • Auditpol.exe /set /subcategory:”credential validation” /success:disable /failure:disable

You can group all of them and save it as a power shell script or a bat h file and run it on required machines.
Please refer to the microsoft link for detailed info :


Audit Policy – Command – PowerShell – Local Security Policy

Copy the below contents to a notepad and save the file as name.ps1 and run the script using power-shell. Audit policy would be updated . Make the required changes for success and failure according to your requirement.

Audit Policy Location

  • Start – Run – Secpol.msc – Security Settings – Local Policy – Audit Policy .

” `n ”
auditpol /set /category:”object access” /success:enable /failure:enable
” Object Access – Policy Updated”
” `n ”

auditpol /set /category:”account logon” /success:enable /failure:enable
” Account Logon – Policy Updated”
” `n ”

auditpol /set /category:”policy change” /success:enable /failure:enable
” Policy Change – Policy Updated”
” `n ”

auditpol /set /category:”account management” /success:enable /failure:enable
” Account Management – Policy Updated”
” `n ”

auditpol /set /category:”ds access” /success:disable /failure:enable
” DS Access – Policy Updated”
” `n ”

auditpol /set /category:”privilege use” /success:disable /failure:enable
” Privilege Use – Policy Updated”
” `n ”

auditpol /set /category:”system” /success:disable /failure:enable
” System – Policy Updated”
” `n ”

auditpol /set /category:”logon/logoff” /success:enable /failure:enable
” Logon/Logoff – Policy Updated”
” `n ”

start-sleep -s 3