Question
I am trying to apply audit rules with this code
https://stackoverflow.com/questions/13509667
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianfunction add-acl($Right,$Access)
{
$audit = "mydomain\myaccount","$Right","containerinherit","none","$Access"
$r = new-object system.security.accesscontrol.registryauditrule $audit
$acl.addauditrule($r)
}
$acl = get-acl hklm:\software\_test
add-acl "CreateSubKey" "Success"
add-acl "Delete" "Success"
add-acl "Delete" "Failure"
$acl | set-acl
but this code writes audit rules without taking account of earlier rules. So I wanted to retrieve audit rules before applying the code. To do so, I used the method getauditrules() :
$acl.getauditrules($true,$true,??)
In ?? position, I tried NTaccount object and windowsSecurity. It doesn't return an error and in fact does not return something at all. This is really disapointing because while using windows interface, I can see that an audit rule is applied. I don't understand what type of object is expecting the getauditrules() method. Can someone help me ?
Solution
Try adding the -audit paramenter to get-acl cmdlet ( this retrieve SACL , System Access Control List).
$acl = get-acl hklm:\software\_test -audit
the you can use:
$acl.getauditrules($true,$true, [System.Security.Principal.NTAccount] )
or
$acl.getauditrules($true,$true, [System.Security.Principal.SecurityIdentifier] )
based on your goal.
