Auditpol Command Examples to Change Security Audit settings

Description

  This article provides the step-by-step details about Auditpol command usage and examples to get and set Security Audit settings as category and sub category level (Advanced Audit Configuration).

Usage of Auditpol command

Auditpol.exe is the command line utility tool to change Audit Security settings as category and sub-category level. It is available by default Windows 2008 R2  and later versions/Windows 7 and later versions. By using Auditpol, we can get/set Audit Security settings per user level and computer level.

Note: You should run Auditpol command with elevated privilege (Run As Administrator);

Usage: AuditPol command [<sub-command><options>]

Commands (only one command permitted per execution)
  /?               Help (context-sensitive)
  /get            Displays the current audit policy.
  /set            Sets the audit policy.
  /list            Displays selectable policy elements.
  /backup     Saves the audit policy to a file.
  /restore      Restores the audit policy from a file.
  /clear           Clears the audit policy.
  /remove          Removes the per-user audit policy for a user account.
  /resourceSACL    Configure global resource SACLs

Auditpol Command Examples

Lists all the settings

Auditpol /get /category:*

Lists only the Account Management category settings.

Auditpol /get /category:"Account Management"

Lists only the User Account Management subcategory setting.

Auditpol /get /subcategory:"User Account Management"

Set the  Account Management category setting as success.

Auditpol /set /category:"Account Management" /success:enable

Set the  Account Management category setting as failure.

Auditpol /set /category:"Account Management" /failure:enable

Disable/Remove success setting of the  Account Management category.

Auditpol /set /category:"Account Management" /success:disable

Disable/Remove failure setting of the  Account Management category.

Auditpol /set /category:"Account Management" /failure:disable

Set only the subcategory setting User Account Management as success.

Auditpol /set /subcategory:"User Account Management" /success:enable

Set only the subcategory setting User Account Management as failure.

Auditpol /set /subcategory:"User Account Management" /failure:enable

Lists Detailed Tracking category settings only for the user Administrator.

Auditpol /get /user:Administrator /category:"Detailed Tracking"

Set Detailed Tracking category setting as success only for the user Administrator.

Auditpol /set /user:Administrator /category:"Detailed Tracking" /success:enable

Thanks,
Morgan
Software Developer

Advertisement

2 thoughts on “Auditpol Command Examples to Change Security Audit settings”

  1. How do I apply the audit command to only one file? It’s like working on a GUI. For example, File-Properties-Security-Audit-File Write Audit: Success. How do I do this on the command line?

    Reply

Leave a Comment