auditpol set

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Sets the per-user audit policy, system audit policy, or auditing options.

To perform set operations on the per-user and system policies, you must have Write or Full Control permission for that object set in the security descriptor. You can also perform set operations if you have the Manage auditing and security log (SeSecurityPrivilege) user right. However, this right allows additional access that is not necessary to perform the overall set operations.

Syntax

auditpol /set
[/user[:<username>|<{sid}>][/include][/exclude]]
[/category:<name>|<{guid}>[,:<name|<{guid}> ]]
[/success:<enable>|<disable>][/failure:<enable>|<disable>]
[/subcategory:<name>|<{guid}>[,:<name|<{guid}> ]]
[/success:<enable>|<disable>][/failure:<enable>|<disable>]
[/option:<option name> /value: <enable>|<disable>]

Parameters

Parameter Description
/user The security principal for whom the per-user audit policy specified by the category or subcategory is set. Either the category or subcategory option must be specified, as a security identifier (SID) or name.
/include Specified with /user; indicates that the user's per-user policy will cause an audit to be generated even if it is not specified by the system audit policy. This setting is the default and is automatically applied if neither the /include nor /exclude parameters are explicitly specified.
/exclude Specified with /user; indicates that the user's per-user policy will cause an audit to be suppressed regardless of the system audit policy. This setting is ignored for users who are members of the local Administrators group.
/category One or more audit categories specified by globally unique identifier (GUID) or name. If no user is specified, the system policy is set.
/subcategory One or more audit subcategories specified by GUID or name. If no user is specified, the system policy is set.
/success Specifies success auditing. This setting is the default and is automatically applied if neither the /success nor /failure parameters are explicitly specified. This setting must be used with a parameter indicating whether to enable or disable the setting.
/failure Specifies failure auditing. This setting must be used with a parameter indicating whether to enable or disable the setting.
/option Sets the audit policy for the CrashOnAuditFail, FullprivilegeAuditing, AuditBaseObjects, or AuditBasedirectories options.
/sd Sets the security descriptor used to delegate access to the audit policy. The security descriptor must be specified by using the Security Descriptor Definition Language (SDDL). The security descriptor must have a discretionary access control list (DACL).
/? Displays help at the command prompt.

Examples

To set the per-user audit policy for all subcategories under the detailed Tracking category for the user mikedan so that all the user's successful attempts will be audited, type:

auditpol /set /user:mikedan /category:detailed Tracking /include /success:enable

To set the per-user audit policy for categories specified by name and GUID, and subcategories specified by GUID to suppress auditing for any successful or failed attempts, type:

auditpol /set /user:mikedan /exclude /category:Object Access,System,{6997984b-797a-11d9-bed3-505054503030}
/subcategory:{0ccee9210-69ae-11d9-bed3-505054503030},:{0ccee9211-69ae-11d9-bed3-505054503030}, /success:enable /failure:enable

To set the per-user audit policy for the specified user for all the categories for the suppression of auditing of all but successful attempts, type:

auditpol /set /user:mikedan /exclude /category:* /success:enable

To set the system audit policy for all subcategories under the detailed Tracking category to include auditing for only successful attempts, type:

auditpol /set /category:detailed Tracking /success:enable

Note

The failure setting is not altered.

To set the system audit policy for the Object Access and System categories (which is implied because subcategories are listed) and subcategories specified by GUIDs for the suppression of failed attempts and the auditing of successful attempts, type:

auditpol /set /subcategory:{0ccee9210-69ae-11d9-bed3-505054503030},{0ccee9211-69ae-11d9-bed3-505054503030}, /failure:disable /success:enable

To set the auditing options to the enabled state for the CrashOnAuditFail option, type:

auditpol /set /option:CrashOnAuditFail /value:enable