AUDITPOL - CMD

Overview

Auditpol is a command-line utility in Windows that manages and retrieves audit policy settings. It is useful for viewing and configuring the audit policies that track the activities on a computer, which is vital for system security and compliance purposes. This tool is especially effective in enterprise environments where understanding or setting audit policies on a granular level is required.

Syntax

The basic syntax of the auditpol command is as follows:

auditpol /get [/category:<CategoryGuid or CategoryName> | /subcategory:<SubCategoryGuid or SubCategoryName>] [/rsop] [/schema]
auditpol /set [/subcategory:<SubCategoryGuid or SubCategoryName> | /include /exclude] [/success:enable|disable /failure:enable|disable]
auditpol /backup [/file:<FileName>]
auditpol /restore [/file:<FileName>]
auditpol /remove [/subcategory:<SubCategoryGuid or SubCategoryName> | /include /exclude]
auditpol /list [/category] [/subcategory] [/schema] [/resourceSACL]
auditpol /clear

Options/Flags

  • /get: Displays the current audit policy.
  • /set: Configures the audit policy settings.
    • /success: Specifies to log successful events.
    • /failure: Specifies to log failed events.
  • /category: Targets an audit policy category.
  • /subcategory: Targets a specific audit policy subcategory.
  • /rsop: Displays the Resultant Set of Policy (RSOP) for the audit policy.
  • /schema: Displays the schema of the audit settings.
  • /backup: Backs up the audit policy to a file.
  • /restore: Restores the audit policy from a backup file.
  • /remove: Removes the specified audit policy.
  • /list: Lists the categories or subcategories.
  • /clear: Clears the audit policy settings, restoring defaults.

Examples

  1. View Current Audit Policy Settings:

    auditpol /get /category:*

  2. Set Audit Policy for Account Logon Events:

    auditpol /set /subcategory:"Account Logon" /success:enable /failure:enable

  3. Backup Current Audit Policy:

    auditpol /backup /file:"C:\backups\auditpol.bak"

  4. Restore Audit Policy from a File:

    auditpol /restore /file:"C:\backups\auditpol.bak"

  5. Clear All Audit Policy Settings:

    auditpol /clear

Common Issues

  • Permission Errors: Users must have administrative privileges to modify audit policy settings.
  • Incorrect Category/ Subcategory Names: Ensure the exact names or GUIDs of categories and subcategories are used.
  • Backup/Restore Failures: Check file paths and access rights when backing up or restoring from files.

Integration

Auditpol can be combined with other commands like schtasks for scheduling regular audit policy backups:

schtasks /create /sc daily /tn "AuditPolicyBackup" /tr "auditpol /backup /file:%UserProfile%\Desktop\AuditPolicy.bak" /st 00:00
  • secpol.msc – Security Policy Management console that also accesses policy settings.
  • gpedit.msc – Group Policy Editor for managing group and computer policies.

Additional resources can be found on the official Windows command-line documentation.