Discussion:
Enable folder Audit with powershell or script
(too old to reply)
Exequiel Fernandez Cueto
2009-01-19 19:48:01 UTC
Permalink
Hello everyone, this is my first post, and i´m desperate because i have to
enable audit trail in 500 servers so, i need some script or command in
powershell to simplify this.

I´m doing this manually, going through the folder i need to audit, right
click, proprieties, security, audit, everyone, write, read, etc...


i need someone to tell me how to simplify this or if someone has a script to
do it.

Thanks
Vadims Podans
2009-01-19 23:00:05 UTC
Permalink
Hi! You can do it by this:
$ACL = new-object System.Security.AccessControl.DirectorySecurity
$AccessRule = new-object
System.Security.AccessControl.FileSystemAuditRule("everyone","Modify","ContainerInherit,
ObjectInherit", "None","success")
$ACL.SetAuditRule($AccessRule)
$ACL | Set-Acl "C:\New Folder"

This writes Audit to C:\New Folder for Everyone security group and Success
modify and inheritance flag is This folder, subfolders and files.

However you should manually run this script on all servers, or to use
PowerShell V2 Remoting features.

But also you can do it through WMI with WMI remoting (available in
PowerShell 1.0 by default):
# set computer name
$computer = "server01"
# take path
$path = "C:\New Folder"
# specify user
$user = "everyone"
# convert path from C:\Path to C:\\Path format (with double slashes)
$path = $path.replace("\", "\\")
# Create all neccessary SecurityDescriptor classes instances
$SD = ([WMIClass] "Win32_SecurityDescriptor").CreateInstance()
$ace = ([WMIClass] "Win32_ace").CreateInstance()
$Trustee = ([WMIClass] "Win32_Trustee").CreateInstance()
# Translate user to SID
$SID = (new-object security.principal.ntaccount
$user).translate([security.principal.securityidentifier])
# Get SID binary form
[byte[]] $SIDArray = ,0 * $SID.BinaryLength
$SID.GetBinaryForm($SIDArray,0)
# fill Trustee object properties that describes user
$Trustee.Name = $user
$Trustee.SID = $SIDArray
# set access mask
$ace.AccessMask = [System.Security.AccessControl.FileSystemRights]"Modify"
# set inheritances and propagation flags
$ace.AceFlags = "0x67"
# set SystemAudit
$ace.AceType = 2
$ace.Trustee = $trustee
# write information about user and access mask to SecurityDescriptor
$SD.SACL = $ace
# set SE_SACL_PRESENT flag which tell us that we change only Audit
information. DACL will not changed
$SD.ControlFlags="0x10"
# get folder object
$wPrivilege = gwmi Win32_LogicalFileSecuritySetting -computername
$server -filter "path='$path'"
# enable SeSecurityPrivilege and SeRestorePrivilege
$wPrivilege.psbase.Scope.Options.EnablePrivileges = $true
# apply new SACL to real folder object
$wPrivilege.setsecuritydescriptor($SD)

ReturnValue must be zero (0) if command success. And remember, that you must
also enable Audit Object Access in Local Security Policy.
--
WBR, Vadims Podans
PowerShell blog - www.sysadmins.lv

"Exequiel Fernandez Cueto" <Exequiel Fernandez
Post by Exequiel Fernandez Cueto
Hello everyone, this is my first post, and i´m desperate because i have to
enable audit trail in 500 servers so, i need some script or command in
powershell to simplify this.
I´m doing this manually, going through the folder i need to audit, right
click, proprieties, security, audit, everyone, write, read, etc...
i need someone to tell me how to simplify this or if someone has a script to
do it.
Thanks
Loading...