Auditpol resourceSACL
Applies To: Windows 7, Windows Server 2008 R2
Configures global resource system access control lists (SACLs).
Note
Applies only to Windows 7 and Windows Server 2008 R2.
For examples of how this command can be used, see Examples.
Syntax
auditpol /resourceSACL
[/set /type:<resource> [/success] [/failure] /user:<user> [/access:<access flags>]]
[/remove /type:<resource> /user:<user> [/type:<resource>]]
[/clear [/type:<resource>]]
[/view [/user:<user>] [/type:<resource>]]
Parameters
Parameter | Description |
---|---|
/set |
Adds a new entry to or updates an existing entry in the resource SACL for the resource type specified. |
/remove |
Removes all entries for the given user in the global object access auditing list. |
/clear |
Removes all entries from the global object access auditing list. |
/view |
Lists the global object access auditing entries in a resource SACL. The user and resource types are optional. |
/? |
Displays help at the command prompt. |
Arguments
Argument | Description | ||
---|---|---|---|
/type |
The resource for which object access auditing is being configured. The supported argument values are File (for directories and files) and Key (for registry keys).
|
||
/success |
Specifies success auditing. |
||
/failure |
Specifies failure auditing. |
||
/user |
Specifies a user in one of the following forms:
|
||
/access |
Specifies a permission mask that can be specified in one of two forms:
|
Remarks
For resourceSACL operations, you must have Write or Full Control permission on that object set in the security descriptor. You can also perform resourceSACL operations by possessing the Manage auditing and security log (SeSecurityPrivilege) user right. However, this right allows additional access that is not necessary to perform the remove operation.
Examples
To set a global resource SACL to audit successful access attempts by a user on a registry key:
auditpol /resourceSACL /set /type:Key /user:MYDOMAIN\myuser /success
To set a global resource SACL to audit successful and failed attempts by a user to perform generic read and write functions on files or folders:
auditpol /resourceSACL /set /type:File /user:MYDOMAIN\myuser /success /failure /access:FRFW
To remove all global resource SACL entries for files or folders:
auditpol /resourceSACL /type:File /clear
To remove all global resource SACL entries for a particular user from files or folders:
auditpol /resourceSACL /remove /type:File /user:{S-1-5-21-56248481-1302087933-1644394174-1001}
To list the global object access auditing entries set on files or folders:
auditpol /resourceSACL /type:File /view
To list the global object access auditing entries for a particular user that are set on files or folders:
auditpol /resourceSACL /type:File /view /user:MYDOMAIN\myuser