Get the Windows Advanced Audit Policy configuration from remote machines with PowerShell

As part of our Server Documentation Tool we have now expanded it's security audit capability.

The system can now gather information about the advanced audit policy of a Windows machine all the way to Windows 10.

The information is gathered from remote machines without an agent being installed using Windows PowerShell remoting.



In a similar fashion to the Group Policy Console or the Auditpol.exe tool the following category or subcategory information can be obtained.

The auditpol.exe tool gives you the definitive configured settings, and it is the same API that XIA Configuration Server uses to determine the active audit settings. In addition to auditpol.exe however we also collect information about whether the setting is configured locally or using Group Policy, and if using Group Policy which policy is effective in applying this setting.

(NOTE: Not all subcategories are available on all operating systems)

Account Logon
Credential Validation
Kerberos Authentication Service
Kerberos Service Ticket Operations
Other Account Logon Events

Account Management
Application Group Management
Computer Account Management
Distribution Group Management
Other Account Management Events
Security Group Management
User Account Management

Detailed Tracking
DPAPI Activity
Process Creation
Process Termination
RPC Events
DS Access
Subcategory
Detailed Directory Service Replication
Directory Service Access
Directory Service Changes
Directory Service Replication

Logon/Logoff
Account Lockout
IPsec Extended Mode
IPsec Main Mode
IPsec Quick Mode
Logoff
Logon
Network Policy Server
Other Logon/Logoff Events
Special Logon
User / Device Claims

Object Access
Application Generated
Central Policy Staging
Certification Services
Detailed File Share
File Share
File System
Filtering Platform Connection
Filtering Platform Packet Drop
Handle Manipulation
Kernel Object
Other Object Access Events
Registry
Removable Storage
SAM

Policy Change
Audit Policy Change
Authentication Policy Change
Authorization Policy Change
Filtering Platform Policy Change
MPSSVC Rule-Level Policy Change
Other Policy Change Events

Privilege Use
Non Sensitive Privilege Use
Other Privilege Use Events
Sensitive Privilege Use

System
IPsec Driver
Other System Events
Security State Change
Security System Extension
System Integrity


Comments

Popular posts from this blog

Windows Server 2016, 2019, 2022, Windows 10 and Windows 11: Date and time "Some settings are managed by your organization".

TFTPD32 or TFTPD64 reports Bind error 10013 An attempt was made to access a socket in a way forbidden by its access permissions.

Windows Server 2019 desktop icons such as My Computer, Windows cannot access the specified device, path, or file.