Display information about and perform functions to manipulate audit policies.
Syntax
AUDITPOL /backup /file:filename
AUDITPOL /clear [/y]
AUDITPOL /get [/user[:username | {sid}]] [/category:* | name | {guid}[,:name | {guid} ]]
[/subcategory:* | name | {guid}[,:name | {guid} ]] [/option:option name] [/sd] [/r]
AUDITPOL /list [ /user | /category | subcategory[:categoryname|{guid}|*] ] [/v] [/r]
AUDITPOL /remove [/user[:username|{SID}]] [/allusers]
AUDITPOL /resourceSACL [/set /type:resource [/success] [/failure]
/user:user [/access:access_flags]] [/remove /type:resource /user:user [/type:resource]]
[/clear [/type:resource]] [/view [/user:user] [/type:resource]]
AUDITPOL /restore /file:filename
AUDITPOL /set [/user[:username | {sid}] [/include] [/exclude]]
[/category:name | {guid}[,:name | {guid} ]] [/success:enable |disable] [/failure:enable | disable]
[/subcategory:name | {guid}[,:name|{guid} ]] [/success:enable | disable] [/failure:enable | disable]
[/option:option_name /value: enable|disable]
Key
/allusers Remove the per-user audit policy for all users.
/category
Display or set one or more audit categories by globally unique identifier (GUID) or name.
An asterisk (*) may be used to indicate that all audit categories should be queried.
If used with /v , the category globally unique identifier (GUID) is also displayed.
If no user is specified, the system policy is set.
/clear Remove all entries from the global object access auditing list.
/exclude
Specified with /user; indicates that the user’s per-user policy will cause an audit to be
suppressed regardless of the system audit policy.
This setting is ignored for users who are members of the local Administrators group.
/subcategory
Display or set one or more audit subcategories by GUID or name.
If no user is specified, the system policy is set.
/failure
Specifies failure auditing. This setting must be used with a parameter indicating whether
to enable or disable the setting.
/file:filename
A file name for the backup or restore.
/include
Specified with /user; indicates that the user’s per-user policy will cause an audit to be
generated even if it is not specified by the system audit policy.
This setting is the default and is automatically applied if neither the /include nor /exclude
parameters are explicitly specified.
/option Set or Retrieve the existing policy for the CrashOnAuditFail, FullprivilegeAuditing,
AuditBaseObjects, or AuditBasedirectories options.
/r Display the output in comma-separated value (CSV) format.
/remove Remove all entries for the given user in the global object access auditing list.
/set Add a new entry or update an existing entry in the resource SACL for the resource type specified.
/sd Set or Retrieve the security descriptor used to delegate access to the audit policy.
When setting, the security descriptor must be specified by using the Security Descriptor Definition
Language (SDDL). The security descriptor must have a discretionary access control list (DACL).
/success
Specifies success auditing. This setting is the default and is automatically applied if
neither the /success nor /failure parameters are explicitly specified.
This setting must be used with a parameter indicating whether to enable or disable the setting.
/user Display or set the security principal for a per-user audit policy.
Either the /category or /subcategory parameter must be specified.
The user may be specified as a security identifier (SID) or name.
If no user account is specified, then the system audit policy is queried.
If used with /v , the security identifier (SID) of the user is also displayed.
/v Display the GUID with the category or subcategory, or when used with /user, displays the SID
of each user.
/view List the global object access auditing entries in a resource SACL.
The user and resource types are optional.
/y Suppress the prompt to confirm if all audit policy settings should be cleared.
Query or Manipulate audit policies, including: System audit policy, Per-User audit policy, auditing Options, Security Descriptors used to delegate access to an audit policy. Reporting or backing up an audit policy to a comma-separated value (CSV) text file. Loading an audit policy from a CSV text file and Configuring global resource SACLs.
Backup Per-User audit policy, settings for all users, System audit policy settings and all auditing Options to a CSV-formatted text file:
auditpol /backup /file:C:\policies\auditpolicy.csv
Delete the per-user audit policy for all users, reset (disable) the system audit policy for all subcategories, and set all the audit policy settings to disabled:
auditpol /clear
or without a confirmation prompt:
auditpol /clear /y
Retrieve the per-user audit policy for the Guest account and display the output for the System, detailed Tracking, and Object Access categories:
auditpol /get /user:{S-1-5-21-1443922412-3030960370-963420232-51} /category:System,detailed Tracking,Object Access
This command is useful in two scenarios. 1) When monitoring a specific user account for suspicious activity, you can use the /get command to retrieve the results in specific categories by using an inclusion policy to enable additional auditing. 2) if audit settings on an account are logging numerous but superfluous events, you can use the /get command to filter out extraneous events for that account with an exclusion policy. For a list of all categories, use the auditpol /list /category command.
Retrieve the per-user audit policy for a category and a particular subcategory, which reports the inclusive and exclusive settings for that subcategory under the System category for the Guest account:
auditpol /get /user:guest /category:System /subcategory:{0ccee921a-69ae-11d9-bed3-505054503030}
Display the output in report format and include the computer name, policy target, subcategory, subcategory GUID, inclusion settings, and exclusion settings:
auditpol /get /user:guest /category:detailed Tracking /r
Retrieve the audit policy settings for all categories:
auditpol /get /category:*
Retrieve the policy for the System category and subcategories, which reports the category and subcategory policy settings for the system audit policy:
auditpol /get /category:System /subcategory:{0ccee921a-69ae-11d9-bed3-505054503030}
Retrieve the policy for the detailed Tracking category and subcategories in report format and include the computer name, policy target, subcategory, subcategory GUID, inclusion settings, and exclusion settings:
auditpol /get /category:detailed Tracking /r
Retrieve the policy for two categories with the categories specified as GUIDs, which reports all the audit policy settings of all the subcategories under two categories:
auditpol /get /category:{69979849-797a-11d9-bed3-505054503030},{69997984a-797a-11d9-bed3-505054503030} subcategory:{0ccee921a-69ae-11d9-bed3-505054503030}
Retrieve the state, either enabled or disabled, of the AuditBaseObjects option:
auditpol /get /option:AuditBaseObjects
Where the available options are AuditBaseObjects, AuditBaseOperations, and FullprivilegeAuditing. To retrieve the state enabled, disabled, or 2 of the CrashOnAuditFail option:
auditpol /get /option:CrashOnAuditFail /r
List all users who have a defined audit policy:
auditpol /list /user
List all categories and subcategories in report format:
auditpol /list /subcategory:* /r
Remove the per-user audit policy for user Varsha by name:
auditpol /remove /user:Varsha
Remove the per-user audit policy for user Varsha by SID
auditpol /remove /user:{S-1-5-21-397123471-12346959}
Remove the per-user audit policy for all users:
auditpol /remove /allusers
Set a global resource SACL to audit successful access attempts by a user on a registry key:
auditpol /resourceSACL /set /type:Key /user:SS64dom\user64 /success
Set a global resource SACL to audit successful and failed attempts by a user to perform generic read and write functions on files or folders:
auditpol /resourceSACL /set /type:File /user:SS64dom\user64 /success /failure /access:FRFW
Remove all global resource SACL entries for files or folders:
auditpol /resourceSACL /type:File /clear
Remove all global resource SACL entries for a particular user from files or folders:
auditpol /resourceSACL /remove /type:File /user:{S-1-5-21-56248481-1302087933-1644394174-1001}
List the global object access auditing entries set on files or folders:
auditpol /resourceSACL /type:File /view
List the global object access auditing entries for a particular user that are set on files or folders:
auditpol /resourceSACL /type:File /view /user:SS64dom\user64
Restore system audit policy settings, per-user audit policy settings for all users, and all auditing options from a file that was created using the /backup command:
auditpol /restore /file:C:\policies\auditpolicy.csv
Set the per-user audit policy for all subcategories under the detailed Tracking category for the user Varsha so that all the user’s successful attempts will be audited
auditpol /set /user:Varsha /category:detailed Tracking /include /success:enable
Set the per-user audit policy for categories specified by name and GUID, and subcategories specified by GUID to suppress auditing for any successful or failed attempts:
auditpol /set /user:Varsha /exclude /category:Object Access,System,{6997984b-797a-11d9-bed3-505054503030} /subcategory:{0ccee9210-69ae-11d9-bed3-505054503030},:{0ccee9211-69ae-11d9-bed3-505054503030}, /success:enable /failure:enable
Set the per-user audit policy for the specified user for all the categories for the suppression of auditing of all but successful attempts:
auditpol /set /user:Varsha /exclude /category:* /success:enable
Set the system audit policy for all subcategories under the detailed Tracking category to include auditing for only successful attempts (The failure setting is not altered):
auditpol /set /category:detailed Tracking /success:enable
Set the system audit policy for the Object Access and System categories (which is implied because subcategories are listed) and subcategories specified by GUIDs for the suppression of failed attempts and the auditing of successful attempts
auditpol /set /subcategory:{0ccee9210-69ae-11d9-bed3-505054503030},{0ccee9211-69ae-11d9-bed3-505054503030}, /failure:disable /success:enable
Set the auditing options to the enabled state for the CrashOnAuditFail option:
auditpol /set /option:CrashOnAuditFail /value:enable
“I always do a mental audit at the end of the week to make sure I’m balancing time between my career and my personal life” ~ Jill Wagner
CleanMgr - Automated cleanup of Temp files, recycle bin.
DU - Display directory sizes/usage.
SYSMON - Monitor and log system activity to the Windows event log.
Q2573113 - AuditPol and Local Security Policy results may differ.