Set File System Auditing via PowerShell

For last few days, I was trying to figure out how to set file system auditing via command line. I was looking for this as I had to apply some specific audit policy on multiple file servers. From GUI, we could do this, but it will take hours of manual activity.

As requirement, I had to set Success Audit policy on Delete subfolders and files, delete and change permission.

There are multiple tools available, but none of them have ability to apply specific policy, so I decided to try PowerShell, and finally able to apply those audit policy successfully.

Step-By-Step:
First you have to determine the proper FileSystemRights to apply Audit Policy, and to do that create a test folder and apply required permission. Here I created one test folder in called AuditTest, and gave Delete subfolders and files, delete and change permission to Everyone group.


Now to find out the FileSystemRights, open PowerShell and execute the following commands.

$acl = Get-Acl -Path C:AuditTest
$acl.Access

So, my required FileSystemRights for applying Audit Policy are DeleteSubdirectoriesAndFiles, Delete, ChangePermissions, Takeownership.

Once I got the FileSystemRights, I use following script to apply Audit Policy. I kept all the location with full path in a txt file (Input.txt) in C drive, and executed the following script.

Once you execute the script, you will get following progress list, and wait till finish.


Finally verify the applied policy from GUI.

Update : Now script will only modify Audit details, not overwriting the access permission.

Disclaimer: All posts and opinions on this site are provided AS IS with no warranties. These are my own personal opinions and do not represent my employer’s view in any way.

16 thoughts on “Set File System Auditing via PowerShell

  1. It’s removing permissions from the Folder/Drive in interest, in my case i need to enable failure audit for C: Drive.
    However it’s running okay when i re-added those removed user’s from Permission’s Tab & if i am Rerunning, it’s working okay.
    Below is the syntax i am using:
    $TargetFolders = “C:”
    $AuditUser = “Everyone”
    $AuditRules = “FullControl”
    $InheritType = “None”
    $AuditType = “Failure”
    $AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($AuditUser,$AuditRules,$InheritType,”None”,$AuditType)
    foreach ($TargetFolder in $TargetFolders)
    {

    $ACL = (Get-Item $TargetFolder).GetAccessControl(‘Access’)
    $ACL.SetAuditRule($AccessRule)
    Write-Host “Processing >”,$TargetFolder
    $ACL | Set-Acl $TargetFolder
    }
    Write-Host “Audit Policy applied successfully.”

  2. I am not sure why it is not working in your environment, I have tested the code again, and everything seems to be working as expected here. It is only updating the audit policy not the existing permissions.

    Please make sure your are the member for the local Administrators group.

  3. This is really useful, thanks! Do you know if there is a way to get this to update Windows ‘Protected’ folders such as c::\windows\system32, c:\windows\syswow64, etc? I get ‘PermissionDenied’ when running this on those types of folders.
    Thanks!

  4. This script is almost exactly what I need. But I’m new to PowerShell, and I’m not sure how you generated Input.txt. How would I make an Input.txt that includes every file on a drive? Or does the script know how to recurse? Or is there a better way?

    • You just have to put the folder names with path each line on input file. for eg. if you want to apply the audit to some folders on D drive, the it will be like
      D:\Yourfolder1
      D:\Yourfolder2
      D:\Yourfolder3
      D:\Yourfolder3

  5. Will this work on setting audits on file(s) in system32 and SysWOW64 folders. For example:
    \%Windows%\System32\activeds.dll

    I need to set Failed events.
    Thanks!

  6. Saugata,

    Is there a way to tick the box where it says ‘only apply these auditing settings to objects and / or containers within this container’

    • I never tried that, but I guess you can also find it out your own, just create a test folder and take the permission snap into a variable, then made the changes manually and take another permission snap in to new variable, and the compare them,. i guess you will able to find out what you are looking for.

      before
      $acl1 = Get-Acl -Path C:\AuditTest

      After
      $acl2 = Get-Acl -Path C:\AuditTest

Leave a Reply

Your email address will not be published. Required fields are marked *