none
Registry or Command Line to set Local Security Audit Policy on local machine RRS feed

  • Question

  • How to set Local Security Audit Policy on local machine either by registry or command line.

    Below settings are required to be set on multiple machines in workgroup environment.

    Security Settings > Local Polices > Audit Policy

    Audit account logon events
    Audit account management
    Audit directory service access
    Audit logon events
    Audit object access
    Audit policy change


    Pranay (MCSE, MCITP)

    Monday, February 10, 2014 1:59 PM

Answers

  • Below are the switches to configure Audit Policy through command:

    Auditpol /set /category:"Account Logon" /Success:enable /failure:enable
    Auditpol /set /category:"Logon/Logoff" /Success:enable /failure:enable
    Auditpol /set /category:"Account Management" /Success:enable /failure:enable
    Auditpol /set /category:"DS Access" /failure:enable
    Auditpol /set /category:"Object Access" /failure:enable
    Auditpol /set /category:"policy change" /Success:enable /failure:enable
    Auditpol /set /category:"Privilege use" /Success:enable /failure:enable
    Auditpol /set /category:"System" /failure:enable


    Pranay (MCSE, MCITP)

    • Marked as answer by Pranay K Jha Tuesday, February 11, 2014 4:44 PM
    Tuesday, February 11, 2014 4:44 PM

All replies

  • Use Group Policy on the domain to set this.


    ¯\_(ツ)_/¯

    Monday, February 10, 2014 2:52 PM
  • I said for Workgroup machines, then how GPO will work?

    Pranay (MCSE, MCITP)

    Monday, February 10, 2014 3:26 PM
  • Is this Windows 2008 or later?  If so, use auditpol.exe
    Monday, February 10, 2014 3:32 PM
  • Tried auditpol.exe but not getting required options. Can you suggest what options I should use for below settings.

    Security Settings > Local Polices > Audit Policy

    Audit account logon events
    Audit account management
    Audit directory service access
    Audit logon events
    Audit object access
    Audit policy change


    Pranay (MCSE, MCITP)

    Tuesday, February 11, 2014 3:01 AM
  • auditpol /set /category:"Account Logon" /success:enable


    ¯\_(ツ)_/¯

    Tuesday, February 11, 2014 3:37 AM
  • Tuesday, February 11, 2014 3:38 AM
  • Below are the switches to configure Audit Policy through command:

    Auditpol /set /category:"Account Logon" /Success:enable /failure:enable
    Auditpol /set /category:"Logon/Logoff" /Success:enable /failure:enable
    Auditpol /set /category:"Account Management" /Success:enable /failure:enable
    Auditpol /set /category:"DS Access" /failure:enable
    Auditpol /set /category:"Object Access" /failure:enable
    Auditpol /set /category:"policy change" /Success:enable /failure:enable
    Auditpol /set /category:"Privilege use" /Success:enable /failure:enable
    Auditpol /set /category:"System" /failure:enable


    Pranay (MCSE, MCITP)

    • Marked as answer by Pranay K Jha Tuesday, February 11, 2014 4:44 PM
    Tuesday, February 11, 2014 4:44 PM
  • Is there a way to use auditpol to exclude 1 user account?

    is this a correct command?

    auditpol /set /DomainName\ServiceAccountUser /exclude /subcategory:Logon
    auditpol /set /DomainName\ServiceAccountUser/exclude /subcategory:"Special Logon"
    auditpol /set /DomainName\ServiceAccountUser /exclude /subcategory:"Logoff"

    Monday, March 25, 2019 3:51 PM
  • Is there a way to use auditpol to exclude 1 user account?

    is this a correct command?

    auditpol /set /DomainName\ServiceAccountUser /exclude /subcategory:Logon
    auditpol /set /DomainName\ServiceAccountUser/exclude /subcategory:"Special Logon"
    auditpol /set /DomainName\ServiceAccountUser /exclude /subcategory:"Logoff"

    Please do not add new and unrelated question to old, closed and answered topics.  Open a new topic with a complete description of your issue.


    \_(ツ)_/

    Monday, March 25, 2019 4:05 PM