Usage: AuditPol /resourceSACL /set /type: /success /failure /user: /access: /remove /type: /user: /type: /clear /type: /view ...

Usage: AuditPol /resourceSACL
       [/set /type: [/success] [/failure] /user:
         [/access:]]
       [/remove /type: /user: [/type:]]
       [/clear [/type:]]
       [/view [/user:] [/type:]]


This command configures settings for global object access auditing. The
corresponding object access subcategory needs to be enabled for the events
to be generated by the system. Type auditpol /set /? for more information.


Commands
  /?            Displays Help for the command.
  /set          Adds a new entry to or updates an existing entry in the
                resource system access control list for the resource type
                specified.
  /remove       Removes all entries for the given user in the global
                object access auditing list. If the type is not specified,
                all entries for the user are removed.
  /clear        Removes all entries from the global object access auditing
                list.
                If the type is omitted, all entries are removed.
  /view         Lists the global object access auditing entries in a
                resource system access control list, filtered by the given
                user and resource type. The user and resource types are
                optional.


Arguments


/type           The resource for whom object access auditing is
                being configured.
                The supported values for resources are File and Key.
                File: Directories and files.
                Key:  Registry keys.
/success        Specifies success auditing.
/failure        Specifies failure auditing.
/user           Specifies a user in one of the following forms:
                - DomainName\Account (such as DOM\Administrators)
                - StandaloneServer\Group
                - Account (see LookupAccountName API)
                - {S-1-x-x-x-x}. x is expressed in decimal, and the entire
                  SID must be enclosed in curly braces.
                  For example: {S-1-5-21-5624481-130208933-164394174-1001}
                  Warning: If SID form is used, no check is done to verify
                  the existence of this account.
/access         Specifies a permission mask that can be specified in one
                of two forms:
                - A sequence of simple rights:
                  Generic access rights:
                    GA - GENERIC ALL
                    GR - GENERIC READ
                    GW - GENERIC WRITE
                    GX - GENERIC EXECUTE
                  Access rights for files:
                    FA - FILE ALL ACCESS
                    FR - FILE GENERIC READ
                    FW - FILE GENERIC WRITE
                    FX - FILE GENERIC EXECUTE
                  Access rights for registry keys:
                    KA - KEY ALL ACCESS
                    KR - KEY READ
                    KW - KEY WRITE
                    KX - KEY EXECUTE
                  For example: '/access:FRFW' will enable audit events
                  for read and write operations.
                - A hex value representing the access mask (such as
                  0x1200a9).
                  This is useful when using resource-specific bit masks
                  that are not part of the SDDL standard. If omitted,
                  Full access is used.


Examples:


  auditpol /resourceSACL /set /type:Key /user:MYDOMAIN\myuser /success
  auditpol /resourceSACL /set /type:File /user:MYDOMAIN\myuser /success
    /failure /access:FRFW
  auditpol /resourceSACL /type:File /clear
  auditpol /resourceSACL /remove /type:File
    /user:{S-1-5-21-56248481-1302087933-1644394174-1001}
  auditpol /resourceSACL /type:File /view
  auditpol /resourceSACL /type:File /view /user:MYDOMAIN\myuser