Home / server / Questions / 28925
Accepted
Jordan W.
Asked: 2009-06-20 12:35:29 +0800 CST

how to remove file auditing rules via Powershell?

  • 772

here's a script to turn on an audit rule:

$path = 'C:\...\*'
$ACL = new-object System.Security.AccessControl.FileSecurity
$AccessRule = new-object System.Security.AccessControl.FileSystemAuditRule("everyone","ExecuteFile","success")
$ACL.SetAuditRule($AccessRule)

$dircont = gci $path -include "*.dot"
foreach ($file in $dircont)
        {
        $ACL | Set-Acl $file
        }

BUT what I want to be able to do is, for any given file, remove any and all auditing rules. So let's say you don't know what users have auditing set or for what actions, you just want to get rid of it all... Like I think I could do something like:

$AccessRule = new-object System.Security.AccessControl.FileSystemAuditRule("everyone","ExecuteFile","none")

But that only helps if you know what users are already configured to be audited on that file... hope this makes sense. Thanks for any help.

windows powershell access-control-list audit

2 Answers

  1. Best Answer

    it's a bit more tricky to remove rules, you will have to look at every file...

    foreach($file in $somewhere) 
{
  $acl = Get-Acl $file -Audit
  $acl.GetAuditRules($True, $False, [System.Security.Principal.SecurityIdentifier]) |Foreach-Object { $acl.RemoveAuditRule($_); }
  Set-Acl $file $acl
}

    Documentation for GetAuditRules (and its cryptic parameters)

    • 3

  2. This doesn't address your question, I don't know how, but your script can be cleaned up just a bit:

    $path = 'C:\...\*'
$ACL = new-object Security.AccessControl.FileSecurity
$AccessRule = new-object Security.AccessControl.FileSystemAuditRule `
                   everyone, ExecuteFile, success
$ACL.SetAuditRule($AccessRule)
gci $path -filter *.dot | Set-Acl -acl $ACL
    • 0