2.2.1.3.2 Inclusion Setting, Exclusion Setting, and SettingValue for Per-User Audit Subcategories
This section defines the syntax for the InclusionSetting, ExclusionSetting, and SettingValue attributes when the PolicyTarget attribute is set to a specific user or group SID.
The syntax for the entries in this category MUST be as follows.
-
InclusionSetting-UA = "SettingValueText" ExclusionSetting-UA = SettingValueText SettingValueText-UA = "Success" / "Failure" / "Success and Failure" / "No Auditing" / "Not Specified" SettingValue-UA = 1*DIGIT
Note that the element names above have a postfix of "-UA" to differentiate them from System advanced audit policy settings, which have a postfix of "-SA".
The attribute SettingValueText is for user readability only and is ignored when the advanced audit policy is applied by the audit configuration client-side plug-in.
The value of SettingValue MUST be one of the following:
A value of "0": Indicates that this audit subcategory setting is unchanged.
A value of "16": Indicates that this audit subcategory setting is set to None.
A decimal numerical value created by combining the following bits.
Bit order
Hexadecimal value
Purpose
1
0x01
Include Success: This bit will cause a Success Audit to be generated even if not specified by the system advanced audit policy.
2
0x02
Exclude Success: This bit will cause a Success Audit to be suppressed regardless of the system advanced audit policy. This setting is not honored for users who are members of the Administrators local group.
3
0x04
Include Failure: This bit will cause a Failure Audit to be generated even if not specified by the system advanced audit policy.
4
0x08
Exclude Failure: This bit will cause a Failure Audit to be suppressed regardless of the system advanced audit policy. This setting is not honored for users who are members of the Administrators local group.
Note Include has a higher precedence than exclude:
If Include Success and Exclude Success bits are set, Include Success is used and Exclude Success is ignored.
If Include Failure and Exclude Failure bits are set, Include Failure is used and Exclude Failure is ignored.<6>