I am trying to apply audit rules with this code
function add-acl($Right,$Access)
{
$audit = "mydomain\myaccount","$Right","containerinherit","none","$Access"
$r = new-object system.security.accesscontrol.registryauditrule $audit
$acl.addauditrule($r)
}
$acl = get-acl hklm:\software\_test
add-acl "CreateSubKey" "Success"
add-acl "Delete" "Success"
add-acl "Delete" "Failure"
$acl | set-acl
but this code writes audit rules without taking account of earlier rules. So I wanted to retrieve audit rules before applying the code. To do so, I used the method getauditrules() :
$acl.getauditrules($true,$true,??)
In ?? position, I tried NTaccount object and windowsSecurity. It doesn't return an error and in fact does not return something at all. This is really disapointing because while using windows interface, I can see that an audit rule is applied. I don't understand what type of object is expecting the getauditrules() method. Can someone help me ?
Try adding the -audit
paramenter to get-acl
cmdlet ( this retrieve SACL
, System Access Control List
).
$acl = get-acl hklm:\software\_test -audit
the you can use:
$acl.getauditrules($true,$true, [System.Security.Principal.NTAccount] )
or
$acl.getauditrules($true,$true, [System.Security.Principal.SecurityIdentifier] )
based on your goal.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.