AuditPolicy – PowerShell Module

AuditPolicy - PowerShell Module

Supported Systems

This module was tested using Windows PowerShell 5.1 on:

  • Windows 11
  • Windows 2016
  • Windows 2012 R2

It should work correctly on Windows 2019, Windows 2022, and Windows 10. I belive it should work on Windows 2012 and earlier (assuming Windows PowerShell 5.1 will work) but that requires confirmation. Registry values are different and I've not tested in on those systems. As it's already not supported by Microsoft there's no need to investigate this.

Ways to configure Auditing Policies on Windows Systems

There are three ways one can deal with setting up Auditing Policies in Windows systems. Those are:

  • Group Policies (GPO)
  • Local Group Policy Objects (using secpol.msc)
  • Using AuditPol.exe

It's essential to understand the consequences of using all three methods. As Microsoft describes it in AuditPol and Local Security Policy, results may troubleshoot guide:

AuditPol directly calls authorization APIs to implement the changes to the granular audit policy. Secpol.msc manipulates the Local Group Policy Object, which results in writing the changes to %SYSTEMROOT%\system32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\Audit.csv.

The settings saved to the .csv file aren't applied directly to the system at the time of modification but are instead written to the file and read later by the client-side extension (CSE). At the next group policy refresh cycle, the CSE applies the modifications that are present in the .csv file.

It took me a while to understand what was happening and question the method I was using to set Auditing settings. Why is this important? Because if audit.csv exists with some settings that you do via Local Group Policy, whatever you set via auditpol.exe or my PowerShell Module will get scrapped.

Secpol.msc displays what is set in the local GPO. There's no "effective settings" view in secpol.msc that will merge granular AuditPol settings and what is defined locally as seen with secpol.msc.

Installing PowerShell Module

Install-Module -Name AuditPolicy -AllowClobber -Force

Force and AllowClobber aren't necessary but they do skip errors in case some appear.

Updating PowerShell Module

Update-Module -Name AuditPolicy

That's it. Whenever there's a new version you simply run the command and you can enjoy it. Remember, that you may need to close, reopen the PowerShell session if you have already used the module before updating it.

The important thing is if something works for you on production, keep using it till you test the new version on a test computer. I do changes that may not be big, but big enough that auto-update will break your code. For example, small rename to a parameter and your code stops working! Be responsible!

Using PowerShell Module

Getting System Audit Policies

Getting system audit policies

$AuditPolicies = Get-SystemAuditPolicy
$AuditPolicies | Format-Table

Getting system audit policies but split by category

$AuditPolicies = Get-SystemAuditPolicy -Categories
$AuditPolicies | Format-Table

Getting single system audit policy

Get-SystemAuditPolicy -Policy 'Application Group Management'

Setting System Audit Policies (via Local Security Policy)

AuditPolicy has 3 ways to modify System Audit Policies. One of the ways is doing it via Local Security Policy. By using UseLocalSecurityPolicy switch we force AuditPolicy to use Local Security Policy.

Set-SystemAuditPolicy -Policy 'Account Lockout' -Value SuccessAndFailure -UseLocalSecurityPolicy -WhatIf
Set-SystemAuditPolicy -Policy 'Group Membership' -Value Failure -UseLocalSecurityPolicy -WhatIf

Please keep in mind that setting AuditPolicy via Local Security Policy has no immediate impact and requires GPO refresh (can be forced with gpupdate /force)

Setting System Audit Policies (via AuditPol)

Another option is to use auditpol.exe. In case UseAuditPol switch is used AuditPolicy will use auditpol.exe to set the Audit Policies.

Set-SystemAuditPolicy -System 'Security State Change' -Value SuccessAndFailure -WhatIf:$WhatIf -UseAuditPol

Setting System Audit Policies (via standard means (registry))

Finally, the default option is to use the registry, which sets proper binary value with set options

$WhatIf = $false
Set-SystemAuditPolicy -System 'Security State Change' -Value Failure -Verbose -WhatIf:$WhatIf
Set-SystemAuditPolicy -AccountLogon 'Other Account Logon Events' -Value Failure -Verbose -WhatIf:$WhatIf
Set-SystemAuditPolicy -AccountLogon 'Kerberos Authentication Service' -Value SuccessAndFailure -Verbose -WhatIf:$WhatIf
Set-SystemAuditPolicy -AccountLogon 'Credential Validation' -Value Success -Verbose -WhatIf:$WhatIf
Set-SystemAuditPolicy -AccountManagement 'Computer Account Management' -Value Failure -Verbose -WhatIf:$WhatIf
Set-SystemAuditPolicy -AccountManagement 'Application Group Management' -Value Success -Verbose -WhatIf:$WhatIf
Set-SystemAuditPolicy -AccountManagement 'Distribution Group Management' -Value Failure -Verbose -WhatIf:$WhatIf
Set-SystemAuditPolicy -AccountManagement 'Other Account Management Events' -Value Failure -Verbose -WhatIf:$WhatIf
Set-SystemAuditPolicy -AccountManagement 'Security Group Management' -Value Failure -Verbose -WhatIf:$WhatIf
Set-SystemAuditPolicy -AccountManagement 'User Account Management' -Value Failure -Verbose -WhatIf:$WhatIf

Backing up and restoring system audit policies

Sometimes before doing anything you may want to backup your policies

Backup-SystemAuditPolicy | Out-File -FilePath $PSScriptRoot\Backups\AuditPolicy.json

To restore

$FilePath = "$PSScriptRoot\Backups\AuditPolicy.json"

Restore-SystemAuditPolicy -FilePath $FilePath -Verbose -WhatIf
Restore-SystemAuditPolicy -FilePath $FilePath -Verbose -Policy 'Application Group Management' -WhatIf

Audit Policies Subcategories

Subcategories used within Audit.csv file to manage

SubcategoryGUID Purpose
{0CCE9213-69AE-11D9-BED3-505054503030} Identifies the IPsec Driver audit subcategory. This subcategory audits events that are generated by the IPsec filter driver.
{0CCE9212-69AE-11D9-BED3-505054503030} Identifies the System Integrity audit subcategory. This subcategory audits events that violate the integrity of the security subsystem.
{0CCE9211-69AE-11D9-BED3-505054503030} Identifies the Security System Extension audit subcategory. This subcategory audits events related to security system extensions or services.
{0CCE9210-69AE-11D9-BED3-505054503030} Identifies the Security State Change audit subcategory. This subcategory audits events generated by changes in the security state of the computer.
{0CCE9214-69AE-11D9-BED3-505054503030} Identifies the Other System Events audit subcategory. This subcategory should audit the following event: Cryptography key file and migration operations.
{0CCE9243-69AE-11D9-BED3-505054503030} Identifies the Network Policy Server audit subcategory. This subcategory audits events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.
{0CCE921C-69AE-11D9-BED3-505054503030} Identifies the Other Logon/Logoff Events audit subcategory. This subcategory audits other events related to logon and logoff that are not included in the Logon/Logoff category.
{0CCE921B-69AE-11D9-BED3-505054503030} Identifies the Special Logon audit subcategory. This subcategory audits events generated by special logons.
{0CCE921A-69AE-11D9-BED3-505054503030} Identifies the IPsec Extended Mode audit subcategory. This subcategory audits events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
{0CCE9219-69AE-11D9-BED3-505054503030} Identifies the IPsec Quick Mode audit subcategory. This subcategory audits events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
{0CCE9218-69AE-11D9-BED3-505054503030} Identifies the IPsec Main Mode audit subcategory. This subcategory audits events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
{0CCE9217-69AE-11D9-BED3-505054503030} Identifies the Account Lockout audit subcategory. This subcategory audits events generated by a failed attempt to log on to an account that is locked out.
{0CCE9216-69AE-11D9-BED3-505054503030} Identifies the Logoff audit subcategory. This subcategory audits events generated by closing a logon session. These events occur on the computer that was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged on to.
{0CCE9215-69AE-11D9-BED3-505054503030} Identifies the Logon audit subcategory. This subcategory audits events generated by user account logon attempts on a computer.
{0CCE9223-69AE-11D9-BED3-505054503030} Identifies the Handle Manipulation audit subcategory. This subcategory audits events generated when a handle to an object is opened or closed. Only objects with a matching SACL generate security audit events. Open and close handle events will be audited when both the Handle Manipulation subcategory is enabled along with the corresponding resource manager identified by other Object Access audit subcategory, like File System or Registry. Enabling Handle Manipulation causes implementation-specific security event data to be logged identifying the permissions that were used to grant or deny the access requested by the user; this is also known as "Reason for access".
{0CCE9244-69AE-11D9-BED3-505054503030} Identifies the Detailed File Share audit subcategory. This subcategory audits every attempt to access objects in a shared folder.
{0CCE9227-69AE-11D9-BED3-505054503030} Identifies the Other Object Access Events audit subcategory. This subcategory audits events generated by the management of Task Scheduler jobs or COM+ objects.
{0CCE9226-69AE-11D9-BED3-505054503030} Identifies the Filtering Platform Connection audit subcategory. This subcategory audits connections that are allowed or blocked by WFP.
{0CCE9225-69AE-11D9-BED3-505054503030} Identifies the Filtering Platform Packet Drop audit subcategory. This subcategory audits packets that are dropped by Windows Filtering Platform (WFP).
{0CCE9224-69AE-11D9-BED3-505054503030} Identifies the File Share audit subcategory. This subcategory audits attempts to access a shared folder.
{0CCE9222-69AE-11D9-BED3-505054503030} Identifies the Application Generated audit subcategory. This subcategory audits applications that generate events by using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function.
{0CCE9221-69AE-11D9-BED3-505054503030} Identifies the Certification Services audit subcategory. This subcategory audits Active Directory Certificate Services (AD CS) operations.
{0CCE9220-69AE-11D9-BED3-505054503030} Identifies the SAM audit subcategory. This subcategory audits events generated by attempts to access Security Accounts Manager (SAM) objects.
{0CCE921F-69AE-11D9-BED3-505054503030} Identifies the Kernel Object audit subcategory. This subcategory audits attempts to access the system kernel, which include mutexes and semaphores. Only kernel objects with a matching SACL generate security audit events. The Audit: Audit the access of global system objects policy setting controls the default SACL of kernel objects.
{0CCE921E-69AE-11D9-BED3-505054503030} Identifies the Registry audit subcategory. This subcategory audits attempts to access registry objects. A security audit event is generated only for objects that have SACLs and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL.
{0CCE921D-69AE-11D9-BED3-505054503030} Identifies the File System audit subcategory. This subcategory audits user attempts to access file system objects. A security audit event is generated only for objects that have SACLs and only if the type of access requested, such as Write, Read, or Modify, and the account making the request match the settings in the SACL.
{0CCE9229-69AE-11D9-BED3-505054503030} Identifies the Non Sensitive Privilege Use audit subcategory. This subcategory audits events generated by the use of nonsensitive privileges (user rights), such as logging on locally or with a Remote Desktop connection, changing the system time, or removing a computer from a docking station.
{0CCE922A-69AE-11D9-BED3-505054503030} Identifies the Other Privilege Use Events audit subcategory.
{0CCE9228-69AE-11D9-BED3-505054503030} Identifies the Sensitive Privilege Use audit subcategory. This subcategory audits events generated by the use of sensitive privileges (user rights), such as acting as part of the operating system, backing up files and directories, impersonating a client computer, or generating security audits.
{0CCE922D-69AE-11D9-BED3-505054503030} Identifies the DPAPI Activity audit subcategory. This subcategory audits events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information.
{0CCE922C-69AE-11D9-BED3-505054503030} Identifies the Process Termination audit subcategory. This subcategory audits events generated when a process ends.
{0CCE922B-69AE-11D9-BED3-505054503030} Identifies the Process Creation audit subcategory. This subcategory audits events generated when a process is created or starts. The name of the application or user that created the process is also audited.
{0CCE922E-69AE-11D9-BED3-505054503030} Identifies the RPC Events audit subcategory. This subcategory audits inbound remote procedure call (RPC) connections.
{0CCE9232-69AE-11D9-BED3-505054503030} Identifies the MPSSVC Rule-Level Policy Change audit subcategory. This subcategory audits events generated by changes in policy rules used by Windows Firewall.
{0CCE9234-69AE-11D9-BED3-505054503030} Identifies the Other Policy Change Events audit subcategory. This subcategory audits events generated by other security policy changes that are not audited in the Policy Change category.
{0CCE9233-69AE-11D9-BED3-505054503030} Identifies the Filtering Platform Policy Change audit subcategory. This subcategory audits events generated by changes to Windows Filtering Platform (WFP).
{0CCE922F-69AE-11D9-BED3-505054503030} Identifies the Audit Policy Change audit subcategory. This subcategory audits changes in security audit policy settings.
{0CCE9231-69AE-11D9-BED3-505054503030} Identifies the Authorization Policy Change audit subcategory. This subcategory audits events generated by changes to the authorization policy.
{0CCE9230-69AE-11D9-BED3-505054503030} Identifies the Authentication Policy Change audit subcategory. This subcategory audits events generated by changes to the authentication policy.
{0CCE923A-69AE-11D9-BED3-505054503030} Identifies the Other Account Management Events audit subcategory. This subcategory audits events generated by other user account changes that are not covered in this category.
{0CCE9239-69AE-11D9-BED3-505054503030} Identifies the Application Group Management audit subcategory. This subcategory audits events generated by changes to application groups.
{0CCE9238-69AE-11D9-BED3-505054503030} Identifies the Distribution Group Management audit subcategory. This subcategory audits events generated by changes to distribution groups.
{0CCE9237-69AE-11D9-BED3-505054503030} Identifies the Security Group Management audit subcategory. This subcategory audits events generated by changes to security groups.
{0CCE9236-69AE-11D9-BED3-505054503030} Identifies the Computer Account Management audit subcategory. This subcategory audits events generated by changes to computer accounts, such as when a computer account is created, changed, or deleted.
{0CCE9235-69AE-11D9-BED3-505054503030} Identifies the User Account Management audit subcategory. This subcategory audits changes to user accounts.
{0CCE923E-69AE-11D9-BED3-505054503030} Identifies the Detailed Directory Service Replication audit subcategory. This subcategory audits events generated by detailed AD DS replication between domain controllers (DCs).
{0CCE923B-69AE-11D9-BED3-505054503030} Identifies the Directory Service Access audit subcategory. This subcategory audits events generated when an AD DS object is accessed. Only AD DS objects with a matching SACL are logged.
{0CCE923D-69AE-11D9-BED3-505054503030} Identifies the Directory Service Replication audit subcategory. This subcategory audits replication between two AD DS DCs.
{0CCE923C-69AE-11D9-BED3-505054503030} Identifies the Directory Service Changes audit subcategory. This subcategory audits events generated by changes to AD DS objects. Events are logged when an object is created, deleted, modified, moved, or undeleted.
{0CCE9241-69AE-11D9-BED3-505054503030} Identifies the Other Account Logon Events audit subcategory. This subcategory audits events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets.
{0CCE9240-69AE-11D9-BED3-505054503030} Identifies the Kerberos Service Ticket Operations audit subcategory. This subcategory audits events generated by Kerberos service ticket requests.
{0CCE923F-69AE-11D9-BED3-505054503030} Identifies the Credential Validation audit subcategory. This subcategory audits events generated by validation tests on user account logon credentials.
{0CCE9242-69AE-11D9-BED3-505054503030} Identifies the Kerberos Authentication Service audit subcategory. This subcategory audits events generated by Kerberos authentication ticket-granting ticket (TGT) requests.
{0CCE9245-69AE-11D9-BED3-505054503030} Identifies the Removable Storage audit subcategory. This subcategory audits user attempts to access file system objects on any Removable Storage device. A security audit event is generated for every read or write access to a file object on any Removable Storage device attached to the user's machine.
{0CCE9246-69AE-11D9-BED3-505054503030} Identifies the Central Access Policy Staging audit subcategory. This subcategory audits access requests where the permission granted or denied by a proposed policy differs from that granted or denied by the current central access policy on an object.
{0cce9247-69ae-11d9-bed3-505054503030} Identifies the User/Device Claims audit subcategory. This subcategory should audit the user and device claims that are present in the token of an associated logon.
{0cce9248-69ae-11d9-bed3-505054503030} Identifies the PNP Activity audit subcategory. This subcategory should audit events generated by plug and play (PNP).
{0cce9249-69ae-11d9-bed3-505054503030} Identifies the Group Membership audit subcategory. This subcategory should audit the group membership of a token for an associated logon.