Skip to content

Latest commit

 

History

History
92 lines (65 loc) · 4.27 KB

File metadata and controls

92 lines (65 loc) · 4.27 KB
titledescriptionms.topicms.assetidms.authorauthormanagerms.date
auditpol resourceSACL
Reference article for the auditpol resourceSACL command, which configures global resource system access control lists (SAcls).
reference
28771ba7-967a-45e9-9bf0-b2a2673070f0
mosagie
robinharwood
mtillman
10/16/2017

auditpol resourceSACL

Configures global resource system access control lists (SACLs).

To perform resourceSACL operations, you must have Write or Full Control permissions for that object set in the security descriptor. You can also perform resourceSACL operations if you have the Manage auditing and security log (SeSecurityPrivilege) user right.

Syntax

auditpol /resourceSACL [/set /type:<resource> [/success] [/failure] /user:<user> [/access:<access flags>]] [/remove /type:<resource> /user:<user> [/type:<resource>]] [/clear [/type:<resource>]] [/view [/user:<user>] [/type:<resource>]] 

Parameters

ParameterDescription
/setAdds a new entry to or updates an existing entry in the resource SACL for the resource type specified.
/removeRemoves all entries for the given user in the global object access auditing list.
/clearRemoves all entries from the global object access auditing list.
/viewLists the global object access auditing entries in a resource SACL. The user and resource types are optional.
/?Displays help at the command prompt.

Arguments

ArgumentDescription
/typeThe resource for which object access auditing is being configured. The supported, case-sensitive, argument values are File (for directories and files) and Key (for registry keys).
/successSpecifies success auditing.
/failureSpecifies failure auditing.
/userSpecifies a user in one of the following forms:
  • DomainName\Account (such as DOM\Administrators)
  • StandaloneServer\Group Account (see LookupAccountName function)
  • {S-1-x-x-x-x} (x is expressed in decimal, and the entire SID must be enclosed in curly braces). For example: {S-1-5-21-5624481-130208933-164394174-1001}

    Note: If the SID form is used, no check is done to verify the existence of this account.

/accessSpecifies a permission mask that can be specified through:

Generic access rights, including:

  • GA - GENERIC ALL
  • GR - GENERIC READ
  • GW - GENERIC WRITE
  • GX - GENERIC EXECUTE

Access rights for files, including:

  • FA - FILE ALL ACCESS
  • FR - FILE GENERIC READ
  • FW - FILE GENERIC WRITE
  • FX - FILE GENERIC EXECUTE

Access rights for registry keys, including:

  • KA - KEY ALL ACCESS
  • KR - KEY READ
  • KW - KEY WRITE
  • KX - KEY EXECUTE

For example: /access:FRFW enables audit events for read and write operations.

A hexadecimal value representing the access mask (such as 0x1200a9)

This is useful when using resource-specific bit masks that are not part of the security descriptor definition language (SDDL) standard. If omitted, Full access is used.

Examples

To set a global resource SACL to audit successful access attempts by a user on a registry key:

auditpol /resourceSACL /set /type:Key /user:MYDOMAIN\myuser /success 

To set a global resource SACL to audit successful and failed attempts by a user to perform generic read and write functions on files or folders:

auditpol /resourceSACL /set /type:File /user:MYDOMAIN\myuser /success /failure /access:FRFW 

To remove all global resource SACL entries for files or folders:

auditpol /resourceSACL /type:File /clear 

To remove all global resource SACL entries for a particular user from files or folders:

auditpol /resourceSACL /remove /type:File /user:{S-1-5-21-56248481-1302087933-1644394174-1001} 

To list the global object access auditing entries set on files or folders:

auditpol /resourceSACL /type:File /view 

To list the global object access auditing entries for a particular user that are set on files or folders:

auditpol /resourceSACL /type:File /view /user:MYDOMAIN\myuser 

Related links

close