Vista - Enable folder Audit with powershell or script

01-19-2009

Hello everyone, this is my first post, and iÂ´m desperate because i have to
enable audit trail in 500 servers so, i need some script or command in
powershell to simplify this.

IÂ´m doing this manually, going through the folder i need to audit, right
click, proprieties, security, audit, everyone, write, read, etc...

i need someone to tell me how to simplify this or if someone has a script to
do it.

Thanks

01-19-2009

Hi! You can do it by this:
$ACL = new-object System.Security.AccessControl.DirectorySecurity
$AccessRule = new-object
System.Security.AccessControl.FileSystemAuditRule("everyone","Modify","ContainerInherit,
ObjectInherit", "None","success")
$ACL.SetAuditRule($AccessRule)
$ACL | Set-Acl "C:\New Folder"

This writes Audit to C:\New Folder for Everyone security group and Success
modify and inheritance flag is This folder, subfolders and files.

However you should manually run this script on all servers, or to use
PowerShell V2 Remoting features.

But also you can do it through WMI with WMI remoting (available in
PowerShell 1.0 by default):
# set computer name
$computer = "server01"
# take path
$path = "C:\New Folder"
# specify user
$user = "everyone"
# convert path from C:\Path to C:\\Path format (with double slashes)
$path = $path.replace("\", "\\")
# Create all neccessary SecurityDescriptor classes instances
$SD = ([WMIClass] "Win32_SecurityDescriptor").CreateInstance()
$ace = ([WMIClass] "Win32_ace").CreateInstance()
$Trustee = ([WMIClass] "Win32_Trustee").CreateInstance()
# Translate user to SID
$SID = (new-object security.principal.ntaccount
$user).translate([security.principal.securityidentifier])
# Get SID binary form
[byte[]] $SIDArray = ,0 * $SID.BinaryLength
$SID.GetBinaryForm($SIDArray,0)
# fill Trustee object properties that describes user
$Trustee.Name = $user
$Trustee.SID = $SIDArray
# set access mask
$ace.AccessMask = [System.Security.AccessControl.FileSystemRights]"Modify"
# set inheritances and propagation flags
$ace.AceFlags = "0x67"
# set SystemAudit
$ace.AceType = 2
$ace.Trustee = $trustee
# write information about user and access mask to SecurityDescriptor
$SD.SACL = $ace
# set SE_SACL_PRESENT flag which tell us that we change only Audit
information. DACL will not changed
$SD.ControlFlags="0x10"
# get folder object
$wPrivilege = gwmi Win32_LogicalFileSecuritySetting -computername
$server -filter "path='$path'"
# enable SeSecurityPrivilege and SeRestorePrivilege
$wPrivilege.psbase.Scope.Options.EnablePrivileges = $true
# apply new SACL to real folder object
$wPrivilege.setsecuritydescriptor($SD)

ReturnValue must be zero (0) if command success. And remember, that you must
also enable Audit Object Access in Local Security Policy.

--
WBR, Vadims Podans
PowerShell blog - www.sysadmins.lv

"Exequiel Fernandez Cueto" <Exequiel Fernandez
Cueto@xxxxxx> rakstÄ«ja ziÅ†ojumÄ
"news:711493C3-52B0-4627-A905-036CAD6841E1@xxxxxx"...

Quote:

> Hello everyone, this is my first post, and iÂ´m desperate because i have to
> enable audit trail in 500 servers so, i need some script or command in
> powershell to simplify this.
>
> IÂ´m doing this manually, going through the folder i need to audit, right
> click, proprieties, security, audit, everyone, write, read, etc...
>
>
> i need someone to tell me how to simplify this or if someone has a script
> to
> do it.
>
> Thanks

01-19-2009	#1 (permalink)
Exequiel Fernandez Cueto n/a posts	Enable folder Audit with powershell or script Hello everyone, this is my first post, and iÂ´m desperate because i have to enable audit trail in 500 servers so, i need some script or command in powershell to simplify this. IÂ´m doing this manually, going through the folder i need to audit, right click, proprieties, security, audit, everyone, write, read, etc... i need someone to tell me how to simplify this or if someone has a script to do it. Thanks
My System Specs

01-19-2009	#2 (permalink)
Vadims Podans n/a posts	Re: Enable folder Audit with powershell or script Hi! You can do it by this: $ACL = new-object System.Security.AccessControl.DirectorySecurity $AccessRule = new-object System.Security.AccessControl.FileSystemAuditRule("everyone","Modify","ContainerInherit, ObjectInherit", "None","success") $ACL.SetAuditRule($AccessRule) $ACL \| Set-Acl "C:\New Folder" This writes Audit to C:\New Folder for Everyone security group and Success modify and inheritance flag is This folder, subfolders and files. However you should manually run this script on all servers, or to use PowerShell V2 Remoting features. But also you can do it through WMI with WMI remoting (available in PowerShell 1.0 by default): # set computer name $computer = "server01" # take path $path = "C:\New Folder" # specify user $user = "everyone" # convert path from C:\Path to C:\\Path format (with double slashes) $path = $path.replace("\", "\\") # Create all neccessary SecurityDescriptor classes instances $SD = ([WMIClass] "Win32_SecurityDescriptor").CreateInstance() $ace = ([WMIClass] "Win32_ace").CreateInstance() $Trustee = ([WMIClass] "Win32_Trustee").CreateInstance() # Translate user to SID $SID = (new-object security.principal.ntaccount $user).translate([security.principal.securityidentifier]) # Get SID binary form [byte[]] $SIDArray = ,0 * $SID.BinaryLength $SID.GetBinaryForm($SIDArray,0) # fill Trustee object properties that describes user $Trustee.Name = $user $Trustee.SID = $SIDArray # set access mask $ace.AccessMask = [System.Security.AccessControl.FileSystemRights]"Modify" # set inheritances and propagation flags $ace.AceFlags = "0x67" # set SystemAudit $ace.AceType = 2 $ace.Trustee = $trustee # write information about user and access mask to SecurityDescriptor $SD.SACL = $ace # set SE_SACL_PRESENT flag which tell us that we change only Audit information. DACL will not changed $SD.ControlFlags="0x10" # get folder object $wPrivilege = gwmi Win32_LogicalFileSecuritySetting -computername $server -filter "path='$path'" # enable SeSecurityPrivilege and SeRestorePrivilege $wPrivilege.psbase.Scope.Options.EnablePrivileges = $true # apply new SACL to real folder object $wPrivilege.setsecuritydescriptor($SD) ReturnValue must be zero (0) if command success. And remember, that you must also enable Audit Object Access in Local Security Policy. -- WBR, Vadims Podans PowerShell blog - www.sysadmins.lv "Exequiel Fernandez Cueto" <Exequiel Fernandez Cueto@xxxxxx> rakstÄ«ja ziÅ†ojumÄ "news:711493C3-52B0-4627-A905-036CAD6841E1@xxxxxx"... Quote: > Hello everyone, this is my first post, and iÂ´m desperate because i have to > enable audit trail in 500 servers so, i need some script or command in > powershell to simplify this. > > IÂ´m doing this manually, going through the folder i need to audit, right > click, proprieties, security, audit, everyone, write, read, etc... > > > i need someone to tell me how to simplify this or if someone has a script > to > do it. > > Thanks
My System Specs

Similar Threads
Thread	Forum
Script (s) to help with file security audit	VB Script
powershell script to enable users on office communicator server	PowerShell
XML Audit script	PowerShell
when run powershell script as windows service ,powershell fail	PowerShell
A New Vista Security Policy on Audit:Force Audit Policy Subcategor	Vista security