Usage: AuditPol /resourceSACL [/set /type:[/success] [/failure] /user: [/access: ]] [/remove /type: /user: [/type: ]] [/clear [/type: ]] [/view [/user: ] [/type: ]] This command configures settings for global object access auditing. The corresponding object access subcategory needs to be enabled for the events to be generated by the system. Type auditpol /set /? for more information. Commands /? Displays Help for the command. /set Adds a new entry to or updates an existing entry in the resource system access control list for the resource type specified. /remove Removes all entries for the given user in the global object access auditing list. If the type is not specified, all entries for the user are removed. /clear Removes all entries from the global object access auditing list. If the type is omitted, all entries are removed. /view Lists the global object access auditing entries in a resource system access control list, filtered by the given user and resource type. The user and resource types are optional. Arguments /type The resource for whom object access auditing is being configured. The supported values for resources are File and Key. File: Directories and files. Key: Registry keys. /success Specifies success auditing. /failure Specifies failure auditing. /user Specifies a user in one of the following forms: - DomainName\Account (such as DOM\Administrators) - StandaloneServer\Group - Account (see LookupAccountName API) - {S-1-x-x-x-x}. x is expressed in decimal, and the entire SID must be enclosed in curly braces. For example: {S-1-5-21-5624481-130208933-164394174-1001} Warning: If SID form is used, no check is done to verify the existence of this account. /access Specifies a permission mask that can be specified in one of two forms: - A sequence of simple rights: Generic access rights: GA - GENERIC ALL GR - GENERIC READ GW - GENERIC WRITE GX - GENERIC EXECUTE Access rights for files: FA - FILE ALL ACCESS FR - FILE GENERIC READ FW - FILE GENERIC WRITE FX - FILE GENERIC EXECUTE Access rights for registry keys: KA - KEY ALL ACCESS KR - KEY READ KW - KEY WRITE KX - KEY EXECUTE For example: '/access:FRFW' will enable audit events for read and write operations. - A hex value representing the access mask (such as 0x1200a9). This is useful when using resource-specific bit masks that are not part of the SDDL standard. If omitted, Full access is used. Examples: auditpol /resourceSACL /set /type:Key /user:MYDOMAIN\myuser /success auditpol /resourceSACL /set /type:File /user:MYDOMAIN\myuser /success /failure /access:FRFW auditpol /resourceSACL /type:File /clear auditpol /resourceSACL /remove /type:File /user:{S-1-5-21-56248481-1302087933-1644394174-1001} auditpol /resourceSACL /type:File /view auditpol /resourceSACL /type:File /view /user:MYDOMAIN\myuser
Usage: AuditPol /clear /y This command deletes per-user audit policy for all users, resets system audit policy for all subcategories ...
Usage: AuditPol /get /user[: | /category:*| | ,: | . /subcategory: | ,: | . /option: /sd /r This command displays the current ...
Usage: AuditPol /list /user|/category|/subcategory[: | |* /v /r This command lists audit policy categories, subcategories, ...
Usage: AuditPol /remove /user[: | /allusers This command removes per-user audit policy for a specified account. Options /? ...
Usage: AuditPol /resourceSACL /set /type: /success /failure /user: /access: /remove /type: /user: /type: /clear /type: /view ...
Usage: AuditPol /restore /file: This command restores system audit policy settings, per-user audit policy settings for all ...
Usage: AuditPol /set /user[: | ][/include][/exclude /category: | ,: | . /success: | ][/failure: | /subcategory: | ,: | . ...
Usage: AuditPol command Commands (only one command permitted per execution) /? Help (context-sensitive) /get Displays the ...
Usage: AUTOMAGIC AUTOMAGIC SET = = . AUTOMAGIC CLEAR {ALL | .]} AUTOMAGIC APPLY Displays or changes the AUTOMAGIC flags that ...