Hello Bigfixers,
I am trying to get all the values in an audit policy which are enabled. i am using the following relevance but it had no luck.
q :(name of it, (if (audit failure of it and audit success of it) then ("Success, Failure") else (if (audit failure of it) then ("Failure") else (if (audit success of it) then ("Success") else ("No Auditing")))) of system policy of it) of logon logoff category of audit policy
The key I am interested is shown in the following picture.
Try this:
Q: (name of it, (if (audit failure of it) then ("Failure") else (if (audit success of it) then ("Success") else ("Nothing"))) of system policy of it) of subcategories of logon logoff category of audit policy
A: Logon, Failure
A: Logoff, Success
A: Account Lockout, Success
A: IPsec Main Mode, Nothing
A: IPsec Quick Mode, Nothing
A: IPsec Extended Mode, Nothing
A: Special Logon, Success
A: Other Logon/Logoff Events, Nothing
A: Network Policy Server, Failure
A: User / Device Claims, Nothing
A: Group Membership, Nothing
T: 3.088 msNote that the settings @vk.khurava references are in another location in the Local Security Policy editor - under `Advanced Audit Policy Configuration’
As Advanced Audit Policy overrides the Local Policies\Audit Policy, there is almost no use-case where Local Policies\Audit Policy matters anymore. If you really have a use-case where you’ve disabled Advanced Audit Policy and need o check the legacy Basic Audit Policy values, it’s possible, but we don’t have a built-in inspector for it; they are binary-encoded values in the Registry.
