setup audit with powershell

Dennism 1 Reputation point
2021-09-25T09:52:54.46+00:00

I have a script for setup audit for a folder.
Now problem is because I want to add another rule to audit.
But this script always remove all rules and make a new one.
how to make 2 rules for 2 users in audit section with script?

$path = "D:\import\data"
$dirs = Get-ChildItem $location -Directory

Set Audit Rules

$AuditUser = "Domain Admins"
$AuditRules = "ReadAndExecute"
$InheritType = "ContainerInherit,ObjectInherit"
$AuditType = "Success"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($AuditUser,$AuditRules,$InheritType,"None",$AuditType)
$ACL = (get-item $path).GetAccessControl('Access')
$ACL.SetAuditRuleProtection($false, $false)
$ACL.SetAuditRule($AccessRule)
$ACL | Set-Acl $path

Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,459 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Rich Matheisen 45,831 Reputation points
    2021-09-25T14:22:57.787+00:00

    You should probably be using AddAuditRule, not SetAuditRule.

    0 comments No comments

  2. Dennism 1 Reputation point
    2021-09-25T16:20:29.547+00:00

    I tried that to and it doesn't help


  3. Limitless Technology 39,511 Reputation points
    2021-09-28T13:46:11.297+00:00

    Hello Dennism,

    If you need to retrieve audit logs on a regular basis, you should consider a solution that uses the Office 365 Management Activity API because it that can provide large organizations with the scalability and performance to retrieve millions of audit records on an ongoing basis.

    Using the audit log search tool in Microsoft 365 compliance center is a good way to quickly find audit records for specific operations that occur in a shorter time range. Using longer time ranges in the audit log search tool, especially for large organizations, might return too many records to easily manage or export.

    When there are situations where you need to manually retrieve auditing data for a specific investigation or incident, particularly for longer date ranges in larger organizations, using the Search-UnifiedAuditLog cmdlet may be the best option.

    https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-search-script?view=o365-worldwide

    -----------------------------------------------------------------------------------------------------------------------

    Hope this answers all your queries, if not please do repost back.
    If an Answer is helpful, please click "Accept Answer" and upvote it : )


  4. Dylan Sikora 1 Reputation point
    2022-11-08T19:14:48.47+00:00

    In case anyone runs across this thread and has the same issue, the following fixed my issue

    $Path = "C:\path"
    $AuditUser = "domain\user"
    $AuditRules = "Write,Delete"
    $InheritType = "ContainerInherit,ObjectInherit"
    $AuditType = "Success, Failure"
    $PropogationType = "NoPropagateInherit"
    $AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($AuditUser,$AuditRules,$InheritType,$PropogationType,$AuditType)
    #NOTE: Using get-acl instead of (get-item $path).GetAccessControl('Access')
    $ACL = get-acl $path -audit
    $ACL.AddAuditRule($AccessRule)
    $ACL | Set-Acl $path

    0 comments No comments