2.2.1.3.2 Inclusion Setting, Exclusion Setting, and SettingValue for Per-User Audit Subcategories

  • Article

This section defines the syntax for the InclusionSetting, ExclusionSetting, and SettingValue attributes when the PolicyTarget attribute is set to a specific user or group SID.

The syntax for the entries in this category MUST be as follows.

  
 InclusionSetting-UA = "SettingValueText"
 ExclusionSetting-UA = SettingValueText
 SettingValueText-UA = "Success" / "Failure" / "Success and Failure" / "No Auditing" / "Not Specified"
 SettingValue-UA = 1*DIGIT

Note that the element names above have a postfix of "-UA" to differentiate them from System advanced audit policy settings, which have a postfix of "-SA".

The attribute SettingValueText is for user readability only and is ignored when the advanced audit policy is applied by the audit configuration client-side plug-in.

The value of SettingValue MUST be one of the following:

  • A value of "0": Indicates that this audit subcategory setting is unchanged.

  • A value of "16": Indicates that this audit subcategory setting is set to None.

  • A decimal numerical value created by combining the following bits.

    Bit order

    Hexadecimal value

    Purpose

    1

    0x01

    Include Success: This bit will cause a Success Audit to be generated even if not specified by the system advanced audit policy.

    2

    0x02

    Exclude Success: This bit will cause a Success Audit to be suppressed regardless of the system advanced audit policy. This setting is not honored for users who are members of the Administrators local group.

    3

    0x04

    Include Failure: This bit will cause a Failure Audit to be generated even if not specified by the system advanced audit policy.

    4

    0x08

    Exclude Failure: This bit will cause a Failure Audit to be suppressed regardless of the system advanced audit policy. This setting is not honored for users who are members of the Administrators local group.

    Note Include has a higher precedence than exclude:

  • If Include Success and Exclude Success bits are set, Include Success is used and Exclude Success is ignored.

  • If Include Failure and Exclude Failure bits are set, Include Failure is used and Exclude Failure is ignored.<6>