how do you change the auditing settings of a specific folder with CMD?

Question

I am basically trying to repeat the following manual steps but with a CMD command : Properties>Advanced>Auditing>Add> Everyone, Full control.
I only want to turn on auditing for one specific folder and it needs to be done with CMD due to hardening reasons.

Answer 1

Hello @Nowtside

You can use the command line Auditpol in order to manipulate the audit settings to folders and subsequent items:

Auditpol
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731451(v=ws.11)?redirectedfrom=MSDN

Hope this helps with your query,

---------
--If the reply is helpful, please Upvote and Accept as answer--

Answer 2

You can do it with Powershell.

# Refer to https://www.reddit.com/r/PowerShell/comments/pukqlx/setup_audit_folder/
$path = "C:\temp\test"
$AuditUser = "Everyone"
$AuditRules = "ReadAndExecute"
$InheritType = "ContainerInherit,ObjectInherit"
$AuditType = "Fail"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($AuditUser,$AuditRules,$InheritType,"None",$AuditType)
$ACL = (get-item $path).GetAccessControl('Access')
$ACL.SetAuditRuleProtection($false, $false)
$ACL.AddAuditRule($AccessRule)
$ACL | Set-Acl $path

I saw in your other post that Powershell was disabled in your environment. IMHO, that is a huge mistake and is only going to cause your organization trouble in the future as Microsoft migrates more and more OS support tasks/functionality into Powershell.

Setacl appears to be able to also do it, but if your org has PS disabled, I doubt that they will allow freeware on your system.

https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe/