This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 16%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
I have a script for setup audit for a folder.
Now problem is because I want to add another rule to audit.
But this script always remove all rules and make a new one.
how to make 2 rules for 2 users in audit section with script?
$path = "D:\import\data"
$dirs = Get-ChildItem $location -Directory
$AuditUser = "Domain Admins"
$AuditRules = "ReadAndExecute"
$InheritType = "ContainerInherit,ObjectInherit"
$AuditType = "Success"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($AuditUser,$AuditRules,$InheritType,"None",$AuditType)
$ACL = (get-item $path).GetAccessControl('Access')
$ACL.SetAuditRuleProtection($false, $false)
$ACL.SetAuditRule($AccessRule)
$ACL | Set-Acl $path
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
You should probably be using AddAuditRule, not SetAuditRule.
I tried that to and it doesn't help
Any help from this link? 1929559-how-to-check-audit-acl-of-a-windows-file-using-powershell
Hello Dennism,
If you need to retrieve audit logs on a regular basis, you should consider a solution that uses the Office 365 Management Activity API because it that can provide large organizations with the scalability and performance to retrieve millions of audit records on an ongoing basis.
Using the audit log search tool in Microsoft 365 compliance center is a good way to quickly find audit records for specific operations that occur in a shorter time range. Using longer time ranges in the audit log search tool, especially for large organizations, might return too many records to easily manage or export.
When there are situations where you need to manually retrieve auditing data for a specific investigation or incident, particularly for longer date ranges in larger organizations, using the Search-UnifiedAuditLog cmdlet may be the best option.
-----------------------------------------------------------------------------------------------------------------------
Hope this answers all your queries, if not please do repost back.
If an Answer is helpful, please click "Accept Answer" and upvote it : )
Where's the down-vote button on this thing????
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 13%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDS%3C/text%3E%3C/svg%3E)
In case anyone runs across this thread and has the same issue, the following fixed my issue
$Path = "C:\path"
$AuditUser = "domain\user"
$AuditRules = "Write,Delete"
$InheritType = "ContainerInherit,ObjectInherit"
$AuditType = "Success, Failure"
$PropogationType = "NoPropagateInherit"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($AuditUser,$AuditRules,$InheritType,$PropogationType,$AuditType)
#NOTE: Using get-acl instead of (get-item $path).GetAccessControl('Access')
$ACL = get-acl $path -audit
$ACL.AddAuditRule($AccessRule)
$ACL | Set-Acl $path