Advanced audit policy in windows using auditpol.exe

Its preferred to set the advanced audit policy through command prompt/powershell other than GUI. It has to be noted that even after you apply the settings through command, in the gui it might not reflect. But that is not an issue. Thats as far as i know.

Open gpedit.msc/secpol.msc 

  • Computer configuration-security settings-security options
  • Set the policy “Audit:Force audit policy subcategory settings (windows vista or later) to override audit policy category settings” to “Enabled”.

To get full information of advanced audit policy on a server, use the command

  • Auditpol.exe /get /category:*

In that you can see categories and sub categories listed with the status success/failure/not configured.

Few examples below :

  • Auditpol.exe /set /subcategory:”credential validation” /success:enable /failure:enable

The below command will enable only success

  • Auditpol.exe /set /subcategory:”credential validation” /success:enable 

The below commmand will set credential validation to “no auditing”

  • Auditpol.exe /set /subcategory:”credential validation” /success:disable /failure:disable

You can group all of them and save it as a power shell script or a bat h file and run it on required machines.
Please refer to the microsoft link for detailed info : https://technet.microsoft.com/en-us/library//dd408940(v=ws.10).aspx

Audit Policy – Command – PowerShell – Local Security Policy

Copy the below contents to a notepad and save the file as name.ps1 and run the script using power-shell. Audit policy would be updated . Make the required changes for success and failure according to your requirement.

Audit Policy Location

  • Start – Run – Secpol.msc – Security Settings – Local Policy – Audit Policy .

” `n ”
auditpol /set /category:”object access” /success:enable /failure:enable
” Object Access – Policy Updated”
” `n ”

auditpol /set /category:”account logon” /success:enable /failure:enable
” Account Logon – Policy Updated”
” `n ”

auditpol /set /category:”policy change” /success:enable /failure:enable
” Policy Change – Policy Updated”
” `n ”

auditpol /set /category:”account management” /success:enable /failure:enable
” Account Management – Policy Updated”
” `n ”

auditpol /set /category:”ds access” /success:disable /failure:enable
” DS Access – Policy Updated”
” `n ”

auditpol /set /category:”privilege use” /success:disable /failure:enable
” Privilege Use – Policy Updated”
” `n ”

auditpol /set /category:”system” /success:disable /failure:enable
” System – Policy Updated”
” `n ”

auditpol /set /category:”logon/logoff” /success:enable /failure:enable
” Logon/Logoff – Policy Updated”
” `n ”

start-sleep -s 3

PowerShell script cannot be loaded because running scripts is disabled on the system.

Set-execution policy remotesigned – Enter – Press enter to activate running scripts.

 

Try running the power shell script again and you should be successful.

 

To disable running scripts on power shell – type “ set-execution policy default” – Enter – hit enter to disable .