Usage: AuditPol /resourceSACL /set /type: /success /failure /user: /access: /condition: /remove /type: /user: /type: /clear ...

Usage: AuditPol /resourceSACL
       [/set /type: [/success] [/failure] /user:
         [/access:] [/condition:]]
       [/remove /type: /user: [/type:]]
       [/clear [/type:]]
       [/view [/user:] [/type:]]


This command configures settings for global object access auditing. The
corresponding object access subcategory needs to be enabled for the events
to be generated by the system. Type auditpol /set /? for more information.


Commands
  /?            Displays Help for the command.
  /set          Adds a new entry to or updates an existing entry in the
                resource system access control list for the resource type
                specified.
  /remove       Removes all entries for the given user from the global
                object access auditing list specified by the resource
                type.
  /clear        Removes all entries from the global object access auditing
                list for the specified resource type.
  /view         Lists the global object access auditing entries for the
                specified resource type and user. Specifying a user is
                optional.


Arguments


/type           The resource for which object access auditing is being
                configured. The supported argument values are File and
                Key. Note that these values are case sensitive.
                File: Directories and files.
                Key:  Registry keys.
/success        Specifies success auditing.
/failure        Specifies failure auditing.
/user           Specifies a user in one of the following forms:
                - DomainName\Account (such as DOM\Administrators)
                - StandaloneServer\Group
                - Account (see LookupAccountName API)
                - {S-1-x-x-x-x}. x is expressed in decimal, and the entire
                  SID must be enclosed in curly braces.
                  For example: {S-1-5-21-5624481-130208933-164394174-1001}
                  Warning: If SID form is used, no check is done to verify
                  the existence of this account.
/access         Specifies a permission mask that can be specified in one
                of two forms:
                - A sequence of simple rights:
                  Generic access rights:
                    GA - GENERIC ALL
                    GR - GENERIC READ
                    GW - GENERIC WRITE
                    GX - GENERIC EXECUTE
                  Access rights for files:
                    FA - FILE ALL ACCESS
                    FR - FILE GENERIC READ
                    FW - FILE GENERIC WRITE
                    FX - FILE GENERIC EXECUTE
                  Access rights for registry keys:
                    KA - KEY ALL ACCESS
                    KR - KEY READ
                    KW - KEY WRITE
                    KX - KEY EXECUTE
                  For example: '/access:FRFW' will enable audit events
                  for read and write operations.
                - A hex value representing the access mask (such as
                  0x1200a9).
                  This is useful when using resource-specific bit masks
                  that are not part of the SDDL standard. If omitted,
                  Full access is used.
/condition      Appends an attribute based expression like the following:
                Document sensitivity is HBI ("High")
                "(@Resource.Sensitivity == \"High\")"



Examples:


  auditpol /resourceSACL /set /type:Key /user:MYDOMAIN\myuser /success
  auditpol /resourceSACL /set /type:File /user:MYDOMAIN\myuser /success
    /failure /access:FRFW
  auditpol /resourceSACL /set /type:File /user:everyone /success
    /failure /access:FRFW /condition:"(@Resource.Sensitivity == \"High\")"
  auditpol /resourceSACL /type:File /clear
  auditpol /resourceSACL /remove /type:File
    /user:{S-1-5-21-56248481-1302087933-1644394174-1001}
  auditpol /resourceSACL /type:File /view
  auditpol /resourceSACL /type:File /view /user:MYDOMAIN\myuser

Usage: AuditPol /clear /y This command deletes per-user audit policy for all users, resets system audit policy for all subcategories ... Usage: AuditPol /get /user[: | /category:*| | ,: | . /subcategory: | ,: | . /option: /sd /r This command displays the current ... Usage: AuditPol /list /user|/category|/subcategory[: | |* /v /r This command lists audit policy categories, subcategories, ... Usage: AuditPol /remove /user[: | /allusers This command removes per-user audit policy for a specified account. Options /? ... Usage: AuditPol /resourceSACL /set /type: /success /failure /user: /access: /condition: /remove /type: /user: /type: /clear ... Usage: AuditPol /restore /file: This command restores system audit policy settings, per-user audit policy settings for all ... Usage: AuditPol /set /user[: | ][/include][/exclude /category: | ,: | . /success: | ][/failure: | /subcategory: | ,: | . ... Usage: AuditPol command Commands (only one command permitted per execution) /? Help (context-sensitive) /get Displays the ... Usage: AUTOMAGIC AUTOMAGIC SET = = . AUTOMAGIC CLEAR {ALL | .]} AUTOMAGIC APPLY Displays or changes the AUTOMAGIC flags that ...