Command to set modify Advanced Security Settings (Audit Settings for folders) on windows 2008
Hello,
We have requirement to modify Advanced Security Settings (Audit Settings for folders) on windows 2008. I am looking for a command which does this job.
I know, using group policies I can do this; in fact I had done this using group policies. However, I need to do this on number of servers which are not in domain. There are around 15 folders on which I need to enable Auditing; manual editing folder advanced
permissions is a cumbersome job. Hence, I am looking for a command line options.
I need to know how command can be utilised to enable Audit option on a folder. Please share a command which can do this; once I get the command, I will create a batch file for other necessary folders. (BTW, this is not a scripting question, I just need to
know the command hence, please do not re-direct me to scripting forum)
Manually through GUI, I am setting following.. snaps are given below
Thanks !
May 8th, 2012 10:57am
You can try using Auditpol.exe: http://technet.microsoft.com/en-us/library/cc731451%28v=ws.10%29.aspx
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner 2010 / 2011
Microsoft
Certified Professional
Microsoft
Certified Systems Administrator: Security
Microsoft
Certified Systems Engineer: Security
Microsoft
Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer
Free Windows Admin Tool Kit Click here and download it now
May 8th, 2012 11:20am
You can try using Auditpol.exe: http://technet.microsoft.com/en-us/library/cc731451%28v=ws.10%29.aspx
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner 2010 / 2011
Microsoft
Certified Professional
Microsoft
Certified Systems Administrator: Security
Microsoft
Certified Systems Engineer: Security
Microsoft
Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows 7, Configuring
Microsoft
Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
Microsoft Certified IT Professional: Enterprise Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer
Thanks but I guess, auditpol ca be used only to manipulate system audit policies. how do I specify a folder and user in auditpol ? I could not find or understand how folder can be included with auditpol command line options.Thanks !
May 8th, 2012 11:33am
Hi,
Thank you for the post.
Please download and use
subinacl.exe to modify folder/user audit settings like:
subinacl /subdirectories=directoriesonly d:\test /sallowdeny=everyone=f
subinacl /file d:\test1.txt /sallowdeny=everyone=F
The audit action parameter includes sgrant, sdeny and sallowdeny.
subinacl security descriptor editing features :
- owner ( /setowner )
- primary group ( /setprimarygroup )
- permissions ( /grant , /deny , /revoke )
- audit ( /sgrant, /sdeny, /sallowdeny)
http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/27a5c5ab-fd1e-4748-8d55-cbc5985495ee
http://www.vanstechelman.eu/windows/how_to_use_subinacl
If there are more inquiries on this issue, please feel free to let us know.
Regards
Rick Tan
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 9th, 2012 4:20am
Hi,
Thank you for the post.
Please download and use
subinacl.exe to modify folder/user audit settings like:
subinacl /subdirectories=directoriesonly d:\test /sallowdeny=everyone=f
subinacl /file d:\test1.txt /sallowdeny=everyone=F
The audit action parameter includes sgrant, sdeny and sallowdeny.
subinacl security descriptor editing features :
- owner ( /setowner )
- primary group ( /setprimarygroup )
- permissions ( /grant , /deny , /revoke )
- audit ( /sgrant, /sdeny, /sallowdeny)
http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/27a5c5ab-fd1e-4748-8d55-cbc5985495ee
http://www.vanstechelman.eu/windows/how_to_use_subinacl
If there are more inquiries on this issue, please feel free to let us know.
Regards
Rick Tan
TechNet Community Support
Thanks Rick.
I will give that a try and post my feedback in a day or two.
Thanks again.
Thanks !
May 9th, 2012 7:27am
Rick, subinacl.exe works perfectly fine :)
Need one more small help
I executed following on a test folder
C:\Program Files (x86)\Windows Resource Kits\Tools>subinacl /subdirectories d:\junk /sdeny=everyone=F
Audit settings got applied however, " Apply these auditing entries to the objects and/or containers within this container only " has not been enabled. How do I get that using subinacl ?
Thanks !
Free Windows Admin Tool Kit Click here and download it now
May 9th, 2012 8:08am
Hi,
Oh, please use "d:\junk\" instead of "d:\junk". Read explanations below:
/subdirectories file_path
manipulate files in specified directory and all subdirectories
- c:\temp\*.obj : work with all obj files
- c:\temp\test : work with all test files below the c:\temp directory
- c:\temp\test\*.* : work with all files below temp\test
- c:\temp\test\ : work with all files below temp\test
/subdirectories=directoriesonly will apply parameters on directories only
/subdirectories=filesonly will apply parameters on files only
RegardsRick Tan
TechNet Community Support
May 10th, 2012 12:15am
Hi Rick,
I used "D:\Junk\" however that didn't make any difference. I even tried " D:\Junk\*.*" this didn't work either.Thanks !
Free Windows Admin Tool Kit Click here and download it now
May 10th, 2012 7:53am
Hi,
No command function could enable the "Apply these auditing entries to the objects and/or containers within this container only" check box.
By default, the audit entry apply to "This folder, subfolder and files". So please just create new folder/file in junk folder and check the audit entry.
https://skydrive.live.com/?cid=89aee176339ad2f9#cid=89AEE176339AD2F9&id=89AEE176339AD2F9%21201
Based on my test, the difference of two object_type listed below. Select what you want or run both of them.
subinacl object_type audit entry applied
audit entry not applied
d:\junk d:\junk, new folder/file in junk folder existed folder/file in junk folder
d:\junk\ existed and new folder/file in junk folder d:\junk
RegardsRick Tan
TechNet Community Support
May 10th, 2012 10:32pm
Rick - Thanks for the help. appreciated :)Thanks !
Free Windows Admin Tool Kit Click here and download it now
May 11th, 2012 8:55am