{"id":174,"date":"2011-01-04T03:04:00","date_gmt":"2011-01-04T03:04:00","guid":{"rendered":"https:\/\/belayclientstaging.zone\/securityeverafter\/2011\/01\/04\/how-do-you-do-auditpol\/"},"modified":"2011-01-04T03:04:00","modified_gmt":"2011-01-04T03:04:00","slug":"how-do-you-do-auditpol","status":"publish","type":"post","link":"https:\/\/securityeverafter.com\/how-do-you-do-auditpol\/","title":{"rendered":"How do you do, Auditpol?"},"content":{"rendered":"<p>What if there were an alternative to using the Local Security Policy to set the options needed to support of your security policy? Starting with Windows 7 and 2008 there is a new, perhaps even better way, <a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/cc731451%28WS.10%29.aspx\">Auditpol<\/a> that offers much more granularity.<\/p>\n<p>The full explanation of this setting is:<\/p>\n<p>Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.<\/p>\n<p>Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories.&nbsp; Setting audit policy at the category level will override the new subcategory audit policy feature.&nbsp; To allow audit policy to be managed using subcategories without requiring a change to Group Policy, there is a new registry value in Windows Vista and later versions, SCENoApplyLegacyAuditPolicy, which prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool.<\/p>\n<p>If the category level audit policy set here is not consistent with the events that are currently being generated, the cause might be that this registry key is set.<\/p>\n<p>To enable this option, visit Local Security Policy &#8211;&gt; Local Policies &#8211;&gt; Security Options &#8211;&gt; Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings. By default this option is not enabled. <\/p>\n<p>Auditpol is strictly a <a href=\"http:\/\/blog.commandlinekungfu.com\/\">command line<\/a> tool that is invoked by typing, you guessed it, Auditpol. It has several switches that allows you to display, set, clear, backup and restore these settings.<\/p>\n<p>The best way to become comfortable with the use of auditpol is to try it out on a test system. <\/p>\n<p><u>Steps:<\/u><br \/>0) Enable the Audit Setting above <br \/>1) Open the <a href=\"http:\/\/en.wikipedia.org\/wiki\/Command_Prompt\">Command Prompt<\/a> as Adminstrator<br \/>2) Clear any existing settings with<span> Auditpol \/clear<\/span> <br \/>3)&nbsp; Run the following command to view the current auditpol settings &#8211; Auditpol \/get \/category:*<br \/>4) Configure the settings that support your Security Policy<br \/>5) Run the following command to view the new Auditpol settings &#8211;<span> <\/span>Auditpol \/get \/category:*<\/p>\n<p>Sure, this is nice, but what if you have more than one server?<\/p>\n<p>Glad you asked.<\/p>\n<p>The backup option can be used to export the Auditpol settings to a csv or txt file &#8211; Auditpol \/backup \/file:C:Windowspolicy.txt. This can be used to backup from one server and restore to another.<\/p>\n<p>Take a look at the output file in a text editor. The first field is obviously the hostname. If you are comfortable with the security settings, simply replace the original server name with the new server name deploy the Auditpol settings. This will certainly save time over building each setting in the command line. It would save even more time by replacing the value of the hostname field with localhost. <\/p>\n<p>With this change in place, the policy can be saved and then imported very quickly. To import the audit policy,&nbsp; enter the command &#8211; Auditpol \/restore \/file:C:Windowspolicy.txt. Now these granular security settings are applied without having to go through the meticulous steps via the command line. If you are using Group Policy, you can also it to <a href=\"http:\/\/support.microsoft.com\/kb\/921469\">deploy and enforce auditpol in your domain<\/a>. <\/p>\n<p>I have not yet determined why the settings you make in Auditpol do not show up in the Local Security Policy. I did spend way too much time confirming these settings are not the same. Perhaps the answer is in the original phrase &#8220;override audit policy category settings&#8221;. <\/p>\n<p>Enjoy.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>What if there were an alternative to using the Local Security Policy to set the options needed to support of your security policy? Starting with Windows 7 and 2008 there is a new, perhaps even better way, Auditpol that offers much more granularity. The full explanation of this setting is: Audit: Force audit policy subcategory [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[10,11],"tags":[],"jetpack_publicize_connections":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How do you do, Auditpol? - Security Ever After - vCISO<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/securityeverafter.com\/how-do-you-do-auditpol\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How do you do, Auditpol? - Security Ever After - vCISO\" \/>\n<meta property=\"og:description\" content=\"What if there were an alternative to using the Local Security Policy to set the options needed to support of your security policy? Starting with Windows 7 and 2008 there is a new, perhaps even better way, Auditpol that offers much more granularity. The full explanation of this setting is: Audit: Force audit policy subcategory [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/securityeverafter.com\/how-do-you-do-auditpol\/\" \/>\n<meta property=\"og:site_name\" content=\"Security Ever After - vCISO\" \/>\n<meta property=\"article:published_time\" content=\"2011-01-04T03:04:00+00:00\" \/>\n<meta name=\"author\" content=\"Russell\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@russelleubanks\" \/>\n<meta name=\"twitter:site\" content=\"@russelleubanks\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Russell\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/securityeverafter.com\/how-do-you-do-auditpol\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/securityeverafter.com\/how-do-you-do-auditpol\/\"},\"author\":{\"name\":\"Russell\",\"@id\":\"https:\/\/securityeverafter.com\/#\/schema\/person\/38dd34bdece8068be18430e4c96ce5f3\"},\"headline\":\"How do you do, Auditpol?\",\"datePublished\":\"2011-01-04T03:04:00+00:00\",\"dateModified\":\"2011-01-04T03:04:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/securityeverafter.com\/how-do-you-do-auditpol\/\"},\"wordCount\":574,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/securityeverafter.com\/#organization\"},\"articleSection\":[\"Security\",\"Windows\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/securityeverafter.com\/how-do-you-do-auditpol\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/securityeverafter.com\/how-do-you-do-auditpol\/\",\"url\":\"https:\/\/securityeverafter.com\/how-do-you-do-auditpol\/\",\"name\":\"How do you do, Auditpol? - Security Ever After - vCISO\",\"isPartOf\":{\"@id\":\"https:\/\/securityeverafter.com\/#website\"},\"datePublished\":\"2011-01-04T03:04:00+00:00\",\"dateModified\":\"2011-01-04T03:04:00+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/securityeverafter.com\/how-do-you-do-auditpol\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/securityeverafter.com\/how-do-you-do-auditpol\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/securityeverafter.com\/how-do-you-do-auditpol\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/securityeverafter.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How do you do, Auditpol?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/securityeverafter.com\/#website\",\"url\":\"https:\/\/securityeverafter.com\/\",\"name\":\"Security Ever After - CISO\",\"description\":\"vCISO\",\"publisher\":{\"@id\":\"https:\/\/securityeverafter.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/securityeverafter.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/securityeverafter.com\/#organization\",\"name\":\"Security Ever After\",\"url\":\"https:\/\/securityeverafter.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/securityeverafter.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/i0.wp.com\/securityeverafter.com\/wp-content\/uploads\/2020\/04\/SECURITY-e1589664916497.jpg?fit=1169%2C826&ssl=1\",\"contentUrl\":\"https:\/\/i0.wp.com\/securityeverafter.com\/wp-content\/uploads\/2020\/04\/SECURITY-e1589664916497.jpg?fit=1169%2C826&ssl=1\",\"width\":1169,\"height\":826,\"caption\":\"Security Ever After\"},\"image\":{\"@id\":\"https:\/\/securityeverafter.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/russelleubanks\",\"https:\/\/www.linkedin.com\/in\/russelleubanks\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/securityeverafter.com\/#\/schema\/person\/38dd34bdece8068be18430e4c96ce5f3\",\"name\":\"Russell\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/securityeverafter.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/8567bffe1f64223494326650c53f921b?s=96&r=pg\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/8567bffe1f64223494326650c53f921b?s=96&r=pg\",\"caption\":\"Russell\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How do you do, Auditpol? - Security Ever After - vCISO","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/securityeverafter.com\/how-do-you-do-auditpol\/","og_locale":"en_US","og_type":"article","og_title":"How do you do, Auditpol? - Security Ever After - vCISO","og_description":"What if there were an alternative to using the Local Security Policy to set the options needed to support of your security policy? Starting with Windows 7 and 2008 there is a new, perhaps even better way, Auditpol that offers much more granularity. The full explanation of this setting is: Audit: Force audit policy subcategory [&hellip;]","og_url":"https:\/\/securityeverafter.com\/how-do-you-do-auditpol\/","og_site_name":"Security Ever After - vCISO","article_published_time":"2011-01-04T03:04:00+00:00","author":"Russell","twitter_card":"summary_large_image","twitter_creator":"@russelleubanks","twitter_site":"@russelleubanks","twitter_misc":{"Written by":"Russell","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/securityeverafter.com\/how-do-you-do-auditpol\/#article","isPartOf":{"@id":"https:\/\/securityeverafter.com\/how-do-you-do-auditpol\/"},"author":{"name":"Russell","@id":"https:\/\/securityeverafter.com\/#\/schema\/person\/38dd34bdece8068be18430e4c96ce5f3"},"headline":"How do you do, Auditpol?","datePublished":"2011-01-04T03:04:00+00:00","dateModified":"2011-01-04T03:04:00+00:00","mainEntityOfPage":{"@id":"https:\/\/securityeverafter.com\/how-do-you-do-auditpol\/"},"wordCount":574,"commentCount":0,"publisher":{"@id":"https:\/\/securityeverafter.com\/#organization"},"articleSection":["Security","Windows"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/securityeverafter.com\/how-do-you-do-auditpol\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/securityeverafter.com\/how-do-you-do-auditpol\/","url":"https:\/\/securityeverafter.com\/how-do-you-do-auditpol\/","name":"How do you do, Auditpol? - Security Ever After - vCISO","isPartOf":{"@id":"https:\/\/securityeverafter.com\/#website"},"datePublished":"2011-01-04T03:04:00+00:00","dateModified":"2011-01-04T03:04:00+00:00","breadcrumb":{"@id":"https:\/\/securityeverafter.com\/how-do-you-do-auditpol\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/securityeverafter.com\/how-do-you-do-auditpol\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/securityeverafter.com\/how-do-you-do-auditpol\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/securityeverafter.com\/"},{"@type":"ListItem","position":2,"name":"How do you do, Auditpol?"}]},{"@type":"WebSite","@id":"https:\/\/securityeverafter.com\/#website","url":"https:\/\/securityeverafter.com\/","name":"Security Ever After - CISO","description":"vCISO","publisher":{"@id":"https:\/\/securityeverafter.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/securityeverafter.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/securityeverafter.com\/#organization","name":"Security Ever After","url":"https:\/\/securityeverafter.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/securityeverafter.com\/#\/schema\/logo\/image\/","url":"https:\/\/i0.wp.com\/securityeverafter.com\/wp-content\/uploads\/2020\/04\/SECURITY-e1589664916497.jpg?fit=1169%2C826&ssl=1","contentUrl":"https:\/\/i0.wp.com\/securityeverafter.com\/wp-content\/uploads\/2020\/04\/SECURITY-e1589664916497.jpg?fit=1169%2C826&ssl=1","width":1169,"height":826,"caption":"Security Ever After"},"image":{"@id":"https:\/\/securityeverafter.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/russelleubanks","https:\/\/www.linkedin.com\/in\/russelleubanks\/"]},{"@type":"Person","@id":"https:\/\/securityeverafter.com\/#\/schema\/person\/38dd34bdece8068be18430e4c96ce5f3","name":"Russell","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/securityeverafter.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/8567bffe1f64223494326650c53f921b?s=96&r=pg","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/8567bffe1f64223494326650c53f921b?s=96&r=pg","caption":"Russell"}}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/posts\/174"}],"collection":[{"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/comments?post=174"}],"version-history":[{"count":0,"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/posts\/174\/revisions"}],"wp:attachment":[{"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/media?parent=174"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/categories?post=174"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/tags?post=174"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}