auditpol setauditpol set

适用于: Windows Server (半年通道) ,Windows Server 2019,Windows Server 2016,Windows Server 2012 R2,Windows Server 2012Applies to: Windows Server (Semi-Annual Channel), Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

设置每用户审核策略、系统审核策略或审核选项。Sets the per-user audit policy, system audit policy, or auditing options.

若要对每个用户系统策略执行set操作,您必须对安全描述符中的该对象集具有 "写入" 或 "完全控制" 权限。To perform set operations on the per-user and system policies, you must have Write or Full Control permission for that object set in the security descriptor. 如果具有 "管理审核和安全日志 (SeSecurityPrivilege") 用户权限,则还可以执行set操作。You can also perform set operations if you have the Manage auditing and security log (SeSecurityPrivilege) user right. 但是,此权限允许执行整体 操作所不需要的其他访问权限。However, this right allows additional access that is not necessary to perform the overall set operations.

语法Syntax

auditpol /set
[/user[:<username>|<{sid}>][/include][/exclude]]
[/category:<name>|<{guid}>[,:<name|<{guid}> ]]
[/success:<enable>|<disable>][/failure:<enable>|<disable>]
[/subcategory:<name>|<{guid}>[,:<name|<{guid}> ]]
[/success:<enable>|<disable>][/failure:<enable>|<disable>]
[/option:<option name> /value: <enable>|<disable>]

参数Parameters

参数Parameter 说明Description
/user/user 为其设置类别或子类别指定的每用户审核策略的安全主体。The security principal for whom the per-user audit policy specified by the category or subcategory is set. 必须指定 "类别" 或 "子类别" 选项,作为安全标识符 (SID) 或名称。Either the category or subcategory option must be specified, as a security identifier (SID) or name.
/include/include 用/user 指定;指示用户的每用户策略将导致生成审核,即使系统审核策略未指定审核也是如此。Specified with /user; indicates that the user's per-user policy will cause an audit to be generated even if it is not specified by the system audit policy. 此设置是默认设置,如果/include 和/exclude 参数均未显式指定,则会自动应用此设置。This setting is the default and is automatically applied if neither the /include nor /exclude parameters are explicitly specified.
/exclude/exclude 用/user 指定;指示无论系统审核策略如何,用户的每用户策略都将导致抑制审核。Specified with /user; indicates that the user's per-user policy will cause an audit to be suppressed regardless of the system audit policy. 对于作为本地 Administrators 组成员的用户,此设置将被忽略。This setting is ignored for users who are members of the local Administrators group.
/category/category 由全局唯一标识符指定的一个或多个审核类别 (GUID) 或名称。One or more audit categories specified by globally unique identifier (GUID) or name. 如果未指定用户,则设置系统策略。If no user is specified, the system policy is set.
/subcategory/subcategory GUID 或名称指定的一个或多个审核子类别。One or more audit subcategories specified by GUID or name. 如果未指定用户,则设置系统策略。If no user is specified, the system policy is set.
/success/success 指定成功审核。Specifies success auditing. 此设置是默认设置,如果/success 和/failure 参数均未显式指定,则会自动应用此设置。This setting is the default and is automatically applied if neither the /success nor /failure parameters are explicitly specified. 此设置必须与指示是否启用或禁用该设置的参数一起使用。This setting must be used with a parameter indicating whether to enable or disable the setting.
/failure/failure 指定失败的审核。Specifies failure auditing. 此设置必须与指示是否启用或禁用该设置的参数一起使用。This setting must be used with a parameter indicating whether to enable or disable the setting.
/option/option 为 CrashOnAuditFail、FullprivilegeAuditing、AuditBaseObjects 或 AuditBasedirectories 选项设置审核策略。Sets the audit policy for the CrashOnAuditFail, FullprivilegeAuditing, AuditBaseObjects, or AuditBasedirectories options.
/sd/sd 设置用于委托审核策略访问的安全描述符。Sets the security descriptor used to delegate access to the audit policy. 必须使用安全描述符定义语言 (SDDL) 来指定安全描述符。The security descriptor must be specified by using the Security Descriptor Definition Language (SDDL). 安全描述符必须具有 (DACL) 的自由访问控制列表。The security descriptor must have a discretionary access control list (DACL).
/?/? 在命令提示符下显示帮助。Displays help at the command prompt.

示例Examples

若要为用户 mikedan 的详细跟踪类别下的所有子类别设置每用户审核策略,以便审核所有用户的成功尝试,请键入:To set the per-user audit policy for all subcategories under the detailed Tracking category for the user mikedan so that all the user's successful attempts will be audited, type:

auditpol /set /user:mikedan /category:detailed Tracking /include /success:enable

若要为由名称和 GUID 指定的类别以及由 GUID 指定的子类别为任何成功或失败的尝试禁用审核,请键入:To set the per-user audit policy for categories specified by name and GUID, and subcategories specified by GUID to suppress auditing for any successful or failed attempts, type:

auditpol /set /user:mikedan /exclude /category:Object Access,System,{6997984b-797a-11d9-bed3-505054503030}
/subcategory:{0ccee9210-69ae-11d9-bed3-505054503030},:{0ccee9211-69ae-11d9-bed3-505054503030}, /success:enable /failure:enable

若要为指定的用户设置每个用户的审核策略,以使所有类别禁止审核所有失败的尝试,请键入:To set the per-user audit policy for the specified user for all the categories for the suppression of auditing of all but successful attempts, type:

auditpol /set /user:mikedan /exclude /category:* /success:enable

若要将 "详细跟踪" 类别下的所有子类别的系统审核策略设置为仅包括成功尝试的审核,请键入:To set the system audit policy for all subcategories under the detailed Tracking category to include auditing for only successful attempts, type:

auditpol /set /category:detailed Tracking /success:enable

备注

失败设置未更改。The failure setting is not altered.

若要为对象访问和系统类别设置系统审核策略 (这是隐含的,因为子类别由 Guid 指定) 和子类别,以禁止显示失败的尝试和审核成功尝试,请键入:To set the system audit policy for the Object Access and System categories (which is implied because subcategories are listed) and subcategories specified by GUIDs for the suppression of failed attempts and the auditing of successful attempts, type:

auditpol /set /subcategory:{0ccee9210-69ae-11d9-bed3-505054503030},{0ccee9211-69ae-11d9-bed3-505054503030}, /failure:disable /success:enable

若要将审核选项设置为 CrashOnAuditFail 选项的 "已启用" 状态,请键入:To set the auditing options to the enabled state for the CrashOnAuditFail option, type:

auditpol /set /option:CrashOnAuditFail /value:enable

其他参考Additional References