Information Technology Reference
In-Depth Information
Using the Auditpol.exe Command
There may be a time when you need to look at your actual auditing policies set on a user
or a system. This is where an administrator can use the Auditpol.exe command. Auditpol
allows administrators the ability not only to view an audit policy but also to set, configure,
modify, restore, and even remove an audit policy. Auditpol is a command-line utility, and
there are multiple switches that can be used with Auditpol. The following is the syntax
used with Auditpol; Table 7.3 describes some of the switches:
Auditpol command [<sub-command><options>]
Here's an example:
Auditpol /get /user:wpanek /category:"Detailed Tracking" /r
Table 7.3
Auditpol commands
Command
Description
/backup
Allows an administrator to save the audit policy to a file
/clear
Allows an administrator to clear an audit policy
/get
Gives administrators the ability to view the current audit policy
/list
Allows you to view selectable policy elements
/remove
Removes all per-user audit policy settings and disables all system audit
policy settings
/restore
Allows an administrator to restore an audit policy from a file that was
previously created by using auditpol /backup
/set
Gives an administrator the ability to set an audit policy
/?
Displays help
Features of Windows Server 2012 R2 Auditing
Microsoft continues to increase the level of detail in the security auditing logs. Microsoft
has also simplified the deployment and management of auditing policies. The following list
includes some of the features:
Global Object Access Auditing Administrators using Windows Server 2012 R2 and
Windows 8 now have the ability to define computer-wide system access control lists
(SACLs). Administrators can define SACLs for either the file system or the registry. After
the specified SACL is defined, the SACL is then applied automatically to every object
 
Search WWH ::




Custom Search