RECOMMENDED: Click here to fix Windows errors and optimize system performance
Windows 10/8/7, Windows Vista, Windows Server 2008, Windows Server 2008, Windows Server 2008 R2 contains a command line tool called Audit Policy Program, AuditPol.exe, which is located in the System32 folder and allows you to more accurately manage and verify policy subcategory settings.
The definition of audit policies at category level overrides the new functionality of the Audit Policy subcategory. A new registry value introduced in Windows Vista, SCENoApplyLegacyAuditPolicy, allows you to manage audit policies using subcategories without changing group policy. This registry value can be set to prevent the application of audit policies at category level from the group policy and the local security policy management tool.
AuditPol on Windows
If you want to enable this option, open Local Security Policy > Local Policies > Security Options.
Double-click Audit on right panel : Forces audit policy subcategory settings (Windows Vista or later) to overwrite audit policy category settings. Choose Enabled > Apply/OK.
AuditPol has several buttons that allow you to view, set, delete, save and restore settings.
In particular, it may be used:
- Definition and questioning of a system audit policy.
- Definition and query of an audit policy by user.
- Setting and querying audit options.
- Definition and query of the safety descriptor delegating access to an audit policy.
- Report or save an audit policy in a comma separated text file (CSV).
- Load an audit policy from a CSV text file.
- Configuration of global resource SACL.
When you open a command prompt as an administrator, you can use AuditPol to display the audit parameters set during execution :
auditpol /get /category:
Note that when displaying audit policy settings with AuditPol and local security policy viz secpol. msc the parameters may display different results. KB2573113 explains why :
AuditPol directly calls permission APIs to implement changes to granular audit policy. Secpol.msc handles the local group policy object, which writes changes to system32GroupPolicyMachineMicrosoftWindows NTAuditAuditAudit.csv. The parameters stored in the.csv file are not applied directly to the system at the time of modification, but written to the file and read later by the client-side extension (CSE). During the next Group policy update cycle, CSE applies the changes that exist in the.csv file. Secpol.msc shows what is defined in the local GPO. There is no effective parameter view in secpol.msc that merges the granular AuditPol parameters and what is locally defined in secpol.msc.
For more information, see AuditPol on TechNet.