none
Command to set modify Advanced Security Settings (Audit Settings for folders) on windows 2008

    Question

  • Hello,

    We have requirement to modify  Advanced Security Settings (Audit Settings for folders) on windows 2008. I am looking for a command which does this job.

    I know, using group policies I can do this; in fact I had done this using group policies. However, I need to do this on number of servers which are not in domain. There are around 15 folders on which I need to enable Auditing; manual editing folder advanced permissions is a cumbersome job. Hence, I am looking for a command line options.

    I need to know how command can be utilised to enable Audit option on a folder. Please share a command which can do this; once I get the command, I will create a batch file for other necessary folders. (BTW, this is not a scripting question, I just need to know the command hence, please do not re-direct me to scripting forum)

    Manually through GUI, I am setting following.. snaps are given below


    Thanks !

    Tuesday, May 08, 2012 2:57 PM

Answers

  • Hi,

    Thank you for the post.

    Please download and use subinacl.exe to modify folder/user audit settings like:

    subinacl /subdirectories=directoriesonly d:\test /sallowdeny=everyone=f
    subinacl /file d:\test1.txt /sallowdeny=everyone=F

    The audit action parameter includes sgrant, sdeny and sallowdeny.
    subinacl security descriptor editing features :
             - owner ( /setowner )
             - primary group ( /setprimarygroup )
             - permissions ( /grant , /deny , /revoke )
             - audit ( /sgrant, /sdeny, /sallowdeny)

    http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/27a5c5ab-fd1e-4748-8d55-cbc5985495ee
    http://www.vanstechelman.eu/windows/how_to_use_subinacl

    If there are more inquiries on this issue, please feel free to let us know.

    Regards


    Rick Tan

    TechNet Community Support


    • Edited by Rick TanModerator Wednesday, May 09, 2012 8:23 AM
    • Proposed as answer by Mr XMVP Wednesday, May 09, 2012 12:07 PM
    • Marked as answer by Jayawardhane Friday, May 11, 2012 12:54 PM
    Wednesday, May 09, 2012 8:20 AM
    Moderator
  • Hi,

    No command function could enable the "Apply these auditing entries to the objects and/or containers within this container only" check box.
    By default, the audit entry apply to "This folder, subfolder and files". So please just create new folder/file in junk folder and check the audit entry.
    https://skydrive.live.com/?cid=89aee176339ad2f9#cid=89AEE176339AD2F9&id=89AEE176339AD2F9%21201

    Based on my test, the difference of two object_type listed below. Select what you want or run both of them.
    subinacl object_type    audit entry applied                                   audit entry not applied
    d:\junk                      d:\junk, new folder/file in junk folder         existed folder/file in junk folder
    d:\junk\                     existed and new folder/file in junk folder    d:\junk

    Regards


    Rick Tan

    TechNet Community Support

    • Marked as answer by Jayawardhane Friday, May 11, 2012 12:54 PM
    Friday, May 11, 2012 2:32 AM
    Moderator

All replies

  • You can try using Auditpol.exe: http://technet.microsoft.com/en-us/library/cc731451%28v=ws.10%29.aspx


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Tuesday, May 08, 2012 3:20 PM
  • You can try using Auditpol.exe: http://technet.microsoft.com/en-us/library/cc731451%28v=ws.10%29.aspx


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    Thanks but I guess, auditpol ca be used only to manipulate system audit policies. how do I specify a folder and user in auditpol ? I could not find or understand how folder can be included with auditpol command line options.

    Thanks !

    Tuesday, May 08, 2012 3:33 PM
  • Hi,

    Thank you for the post.

    Please download and use subinacl.exe to modify folder/user audit settings like:

    subinacl /subdirectories=directoriesonly d:\test /sallowdeny=everyone=f
    subinacl /file d:\test1.txt /sallowdeny=everyone=F

    The audit action parameter includes sgrant, sdeny and sallowdeny.
    subinacl security descriptor editing features :
             - owner ( /setowner )
             - primary group ( /setprimarygroup )
             - permissions ( /grant , /deny , /revoke )
             - audit ( /sgrant, /sdeny, /sallowdeny)

    http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/27a5c5ab-fd1e-4748-8d55-cbc5985495ee
    http://www.vanstechelman.eu/windows/how_to_use_subinacl

    If there are more inquiries on this issue, please feel free to let us know.

    Regards


    Rick Tan

    TechNet Community Support


    • Edited by Rick TanModerator Wednesday, May 09, 2012 8:23 AM
    • Proposed as answer by Mr XMVP Wednesday, May 09, 2012 12:07 PM
    • Marked as answer by Jayawardhane Friday, May 11, 2012 12:54 PM
    Wednesday, May 09, 2012 8:20 AM
    Moderator
  • Hi,

    Thank you for the post.

    Please download and use subinacl.exe to modify folder/user audit settings like:

    subinacl /subdirectories=directoriesonly d:\test /sallowdeny=everyone=f
    subinacl /file d:\test1.txt /sallowdeny=everyone=F

    The audit action parameter includes sgrant, sdeny and sallowdeny.
    subinacl security descriptor editing features :
             - owner ( /setowner )
             - primary group ( /setprimarygroup )
             - permissions ( /grant , /deny , /revoke )
             - audit ( /sgrant, /sdeny, /sallowdeny)

    http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/27a5c5ab-fd1e-4748-8d55-cbc5985495ee
    http://www.vanstechelman.eu/windows/how_to_use_subinacl

    If there are more inquiries on this issue, please feel free to let us know.

    Regards


    Rick Tan

    TechNet Community Support


    Thanks Rick.

    I will give that a try and post my feedback in a day or two.

    Thanks again.


    Thanks !

    Wednesday, May 09, 2012 11:27 AM
  • Rick, subinacl.exe works perfectly fine :)

    Need one more small help

    I executed following on a test folder

    C:\Program Files (x86)\Windows Resource Kits\Tools>subinacl /subdirectories d:\junk /sdeny=everyone=F 

    Audit settings got applied however, " Apply these auditing entries to the objects and/or containers within this container only "  has not been enabled. How do I get that using subinacl ?


    Thanks !

    Wednesday, May 09, 2012 12:08 PM
  • Hi,

    Oh, please use "d:\junk\" instead of "d:\junk". Read explanations below:

    /subdirectories file_path

    manipulate files in specified directory and all subdirectories
    - c:\temp\*.obj     : work with all obj files
    - c:\temp\test      : work with all test files below the c:\temp directory
    - c:\temp\test\*.* : work with all files below temp\test
    - c:\temp\test\    : work with all files below temp\test
     /subdirectories=directoriesonly will apply parameters on directories only
     /subdirectories=filesonly will apply parameters on files only

    Regards


    Rick Tan

    TechNet Community Support

    Thursday, May 10, 2012 4:15 AM
    Moderator
  • Hi Rick,

    I used "D:\Junk\" however that didn't make any difference. I even tried " D:\Junk\*.*" this didn't work either.


    Thanks !

    Thursday, May 10, 2012 11:53 AM
  • Hi,

    No command function could enable the "Apply these auditing entries to the objects and/or containers within this container only" check box.
    By default, the audit entry apply to "This folder, subfolder and files". So please just create new folder/file in junk folder and check the audit entry.
    https://skydrive.live.com/?cid=89aee176339ad2f9#cid=89AEE176339AD2F9&id=89AEE176339AD2F9%21201

    Based on my test, the difference of two object_type listed below. Select what you want or run both of them.
    subinacl object_type    audit entry applied                                   audit entry not applied
    d:\junk                      d:\junk, new folder/file in junk folder         existed folder/file in junk folder
    d:\junk\                     existed and new folder/file in junk folder    d:\junk

    Regards


    Rick Tan

    TechNet Community Support

    • Marked as answer by Jayawardhane Friday, May 11, 2012 12:54 PM
    Friday, May 11, 2012 2:32 AM
    Moderator
  • Rick - Thanks for the help. appreciated :)

    Thanks !

    Friday, May 11, 2012 12:55 PM
  • We need to audit the local Everyone group on each server for all Failed attempts to the C:\Windows\System32\Drivers folder - but ONLY that folder  (on thosands of servers).  I realize from your response above that the checkbox highlighted below cannot be checked via command function, but we don't typically use that - we use the dropdown above, "Apply Onto:"  and change that to "This Folder Only".

    1) What is the difference between these methods, if any?

    2) Is there a way to script this subinacl command or use powershell to accomplish this somehow?

    Wednesday, December 19, 2012 5:59 PM
  • Hi Rick,

    Is it possible to list the Audit settings on folders/files using command line? Subinacl doesn't seem to do that.

    Thanks,

    Rohit

    Monday, July 21, 2014 11:45 PM
  • Hi Rick,

    Is it possible to list the Audit settings on folders/files using command line? Subinacl doesn't seem to do that.

    Thanks,

    Rohit

    Monday, July 21, 2014 11:47 PM
  • Is it possible to add multiple Access,  for the /sallowdeny action? 

    For example: 

    subinacl /file=directoriesonly C:\Temp /sallowdeny=Everyone=D, P, C

    Or something similar to that? When I make a single change it erases all other changes. 

    Tuesday, February 02, 2016 6:51 PM