For last few days, I was trying to figure out how to set file system auditing via command line. I was looking for this as I had to apply some specific audit policy on multiple file servers. From GUI, we could do this, but it will take hours of manual activity.
As requirement, I had to set Success Audit policy on Delete subfolders and files, delete and change permission.
There are multiple tools available, but none of them have ability to apply specific policy, so I decided to try PowerShell, and finally able to apply those audit policy successfully.
First you have to determine the proper FileSystemRights to apply Audit Policy, and to do that create a test folder and apply required permission. Here I created one test folder in called AuditTest, and gave Delete subfolders and files, delete and change permission to Everyone group.
Now to find out the FileSystemRights, open PowerShell and execute the following commands.
$acl = Get-Acl -Path C:AuditTest
So, my required FileSystemRights for applying Audit Policy are DeleteSubdirectoriesAndFiles, Delete, ChangePermissions, Takeownership.
Once I got the FileSystemRights, I use following script to apply Audit Policy. I kept all the location with full path in a txt file (Input.txt) in C drive, and executed the following script.
$TargetFolders = Get-Content C:\Input.txt
$AuditUser = "Everyone"
$AuditRules = "Delete,DeleteSubdirectoriesAndFiles,ChangePermissions,Takeownership"
$InheritType = "ContainerInherit,ObjectInherit"
$AuditType = "Success"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($AuditUser,$AuditRules,$InheritType,"None",$AuditType)
foreach ($TargetFolder in $TargetFolders)
$ACL = Get-Acl $TargetFolder
Write-Host "Processing >",$TargetFolder
$ACL | Set-Acl $TargetFolder
Write-Host "Audit Policy applied successfully."
Once you execute the script, you will get following progress list, and wait till finish.
Finally verify the applied policy from GUI.
Update : Now script will only modify Audit details, not overwriting the access permission.