Sample PowerShell code to enable auditing on a folder


$computer = gc env:computername
$path = "C:\New Folder"
$user = "everyone"
$path = $path.replace("\", "\\")
$SD = ([WMIClass] "Win32_SecurityDescriptor").CreateInstance()
$ace = ([WMIClass] "Win32_ace").CreateInstance()
$Trustee = ([WMIClass] "Win32_Trustee").CreateInstance()
$SID = (new-object security.principal.ntaccount $user).translate([security.principal.securityidentifier])
[byte[]] $SIDArray = ,0 * $SID.BinaryLength
$SID.GetBinaryForm($SIDArray,0)
$Trustee.Name = $user
$Trustee.SID = $SIDArray
$ace.AccessMask = [System.Security.AccessControl.FileSystemRights]"Modify"
$ace.AceFlags = "0x67"
$ace.AceType = 2
$ace.Trustee = $trustee
$SD.SACL = $ace
$SD.ControlFlags="0x10"
$wPrivilege = gwmi Win32_LogicalFileSecuritySetting -computername $computer -filter "path='$path'"
$wPrivilege.psbase.Scope.Options.EnablePrivileges = $true
$wPrivilege.setsecuritydescriptor($SD)


Comments (2)

  1. Kostas says:

    Hello. It looks very convenient. Congrats. Can you break down the script and explain how it works?

    How can you modify it to apply specific audit permissions? I tried to apply it on a test folder but i cant modify the settings.

    For example, what if i want for the principal “hostname\everyone” to record all the “Failed” events?

    Kind Regards

  2. Kostas says:

    Hello.

    I would like to ask if it’s possible to modify the script so it can fit the needs. For example if we want the type of audit to be “Fail”, for “$computer\Everyone” and to be applied to “This folder only”, how do we modify it????

    Kind Regards

Skip to main content