3

I'm trying to find a command line way to get security settings from Local Security Policy. Specifically Security Settings > Local Policies > Audit Policy. A list of the policy and the current security setting. Ability to see if policy is editable or if set from another source would be a bonus, but not required.

Settings in question from Local Security Policy Window:

enter image description here

womble
  • 96,255
  • 29
  • 175
  • 230
StackWolf
  • 33
  • 1
  • 1
  • 4

2 Answers2

5

It depends if legacy (aka "category level") or advanced audit policies are in effect.

For legacy audit policies (what your screenshot shows): 

secedit.exe /export /areas SECURITYPOLICY /cfg filename.txt

For advanced audit policies: 

auditpol.exe /get /category:*

What determines if legacy or advanced policy settings are in effect is the registry value: 

Key: HKLM\System\CurrentControlSet\Control\Lsa  
Value: SCENoApplyLegacyAuditPolicy

This corresponds to the following group policy setting, Windows Settings > Security Settings > Local Policies > Security Options: Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.

Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature.

To allow audit policy to be managed using subcategories without requiring a change to Group Policy, there is a new registry value in Windows Vista and later versions, SCENoApplyLegacyAuditPolicy, which prevents the application of category-level audit policy.

If SCENoApplyLegacyAuditPolicy is enabled/1, legacy audit policy settings are not in effect.

If SCENoApplyLegacyAuditPolicy is disabled/0, legacy audit policy settings are in effect.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • Thanks! It seem like no matter if legacy or advanced policy settings are in effect, the auditpol command will give full details - per https://blogs.technet.microsoft.com/askds/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2/. The result of the secedit command has a [Event Audit] section with the categories listed, and a number value showing the setting. https://msdn.microsoft.com/en-us/library/cc232776.aspx seems to be reference for what the values mean. (Sorry for multiple edits, figuring out comments ) – StackWolf Sep 12 '16 at 15:59
0

I think the answer may be:

auditpol /get /category:* (administrative command promt required)

ref: https://support.microsoft.com/en-us/kb/2573113 https://blogs.technet.microsoft.com/askds/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2/

(Rule of the universe - spend hours researching, create account on stack exchange, google more, draft question, review answers that serverfault brings up, sleep on it, research more, finally post the darn question, and then find the answer 15 minutes later >.<)

StackWolf
  • 33
  • 1
  • 1
  • 4