Command to set modify Advanced Security Settings (Audit Settings for folders) on windows 2008
-
8. května 2012 14:57
Hello,
We have requirement to modify Advanced Security Settings (Audit Settings for folders) on windows 2008. I am looking for a command which does this job.
I know, using group policies I can do this; in fact I had done this using group policies. However, I need to do this on number of servers which are not in domain. There are around 15 folders on which I need to enable Auditing; manual editing folder advanced permissions is a cumbersome job. Hence, I am looking for a command line options.
I need to know how command can be utilised to enable Audit option on a folder. Please share a command which can do this; once I get the command, I will create a batch file for other necessary folders. (BTW, this is not a scripting question, I just need to know the command hence, please do not re-direct me to scripting forum)
Manually through GUI, I am setting following.. snaps are given below
Thanks !
Všechny reakce
-
8. května 2012 15:20
You can try using Auditpol.exe: http://technet.microsoft.com/en-us/library/cc731451%28v=ws.10%29.aspx
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.Microsoft Student Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows 7, Configuring
Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer -
8. května 2012 15:33
Thanks but I guess, auditpol ca be used only to manipulate system audit policies. how do I specify a folder and user in auditpol ? I could not find or understand how folder can be included with auditpol command line options.You can try using Auditpol.exe: http://technet.microsoft.com/en-us/library/cc731451%28v=ws.10%29.aspx
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.Microsoft Student Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist: Windows 7, Configuring
Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified TrainerThanks !
-
9. května 2012 8:20Moderátor
Hi,
Thank you for the post.
Please download and use subinacl.exe to modify folder/user audit settings like:
subinacl /subdirectories=directoriesonly d:\test /sallowdeny=everyone=f
subinacl /file d:\test1.txt /sallowdeny=everyone=FThe audit action parameter includes sgrant, sdeny and sallowdeny.
subinacl security descriptor editing features :
- owner ( /setowner )
- primary group ( /setprimarygroup )
- permissions ( /grant , /deny , /revoke )
- audit ( /sgrant, /sdeny, /sallowdeny)http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/27a5c5ab-fd1e-4748-8d55-cbc5985495ee
http://www.vanstechelman.eu/windows/how_to_use_subinaclIf there are more inquiries on this issue, please feel free to let us know.
Regards
Rick Tan
TechNet Community Support
- Upravený Rick TanModerator 9. května 2012 8:23
- Navržen jako odpověď Mr XMVP 9. května 2012 12:07
- Označen jako odpověď Jayawardhane 11. května 2012 12:54
-
9. května 2012 11:27
Hi,
Thank you for the post.
Please download and use subinacl.exe to modify folder/user audit settings like:
subinacl /subdirectories=directoriesonly d:\test /sallowdeny=everyone=f
subinacl /file d:\test1.txt /sallowdeny=everyone=FThe audit action parameter includes sgrant, sdeny and sallowdeny.
subinacl security descriptor editing features :
- owner ( /setowner )
- primary group ( /setprimarygroup )
- permissions ( /grant , /deny , /revoke )
- audit ( /sgrant, /sdeny, /sallowdeny)http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/27a5c5ab-fd1e-4748-8d55-cbc5985495ee
http://www.vanstechelman.eu/windows/how_to_use_subinaclIf there are more inquiries on this issue, please feel free to let us know.
Regards
Rick Tan
TechNet Community Support
Thanks Rick.
I will give that a try and post my feedback in a day or two.
Thanks again.
Thanks !
-
9. května 2012 12:08
Rick, subinacl.exe works perfectly fine :)
Need one more small help
I executed following on a test folder
C:\Program Files (x86)\Windows Resource Kits\Tools>subinacl /subdirectories d:\junk /sdeny=everyone=F
Audit settings got applied however, " Apply these auditing entries to the objects and/or containers within this container only " has not been enabled. How do I get that using subinacl ?
Thanks !
-
10. května 2012 4:15Moderátor
Hi,
Oh, please use "d:\junk\" instead of "d:\junk". Read explanations below:
/subdirectories file_path
manipulate files in specified directory and all subdirectories
- c:\temp\*.obj : work with all obj files
- c:\temp\test : work with all test files below the c:\temp directory
- c:\temp\test\*.* : work with all files below temp\test
- c:\temp\test\ : work with all files below temp\test
/subdirectories=directoriesonly will apply parameters on directories only
/subdirectories=filesonly will apply parameters on files onlyRegards
Rick Tan
TechNet Community Support
-
10. května 2012 11:53
Hi Rick,
I used "D:\Junk\" however that didn't make any difference. I even tried " D:\Junk\*.*" this didn't work either.
Thanks !
-
11. května 2012 2:32Moderátor
Hi,
No command function could enable the "Apply these auditing entries to the objects and/or containers within this container only" check box.
By default, the audit entry apply to "This folder, subfolder and files". So please just create new folder/file in junk folder and check the audit entry.
https://skydrive.live.com/?cid=89aee176339ad2f9#cid=89AEE176339AD2F9&id=89AEE176339AD2F9%21201Based on my test, the difference of two object_type listed below. Select what you want or run both of them.
subinacl object_type audit entry applied audit entry not applied
d:\junk d:\junk, new folder/file in junk folder existed folder/file in junk folder
d:\junk\ existed and new folder/file in junk folder d:\junkRegards
Rick Tan
TechNet Community Support
- Označen jako odpověď Jayawardhane 11. května 2012 12:54
-
11. května 2012 12:55Rick - Thanks for the help. appreciated :)
Thanks !
-
19. prosince 2012 17:59
We need to audit the local Everyone group on each server for all Failed attempts to the C:\Windows\System32\Drivers folder - but ONLY that folder (on thosands of servers). I realize from your response above that the checkbox highlighted below cannot be checked via command function, but we don't typically use that - we use the dropdown above, "Apply Onto:" and change that to "This Folder Only".
1) What is the difference between these methods, if any?
2) Is there a way to script this subinacl command or use powershell to accomplish this somehow?
.png)
