xaudit Command Modify System Access Control List
The xaudit command adds entries in the system access control list (SACL). Each entry in this list causes an audit message to be logged when a specified user or group attempts to gain access to the resource. The xaudit- command removes entries from the SACL, and is valid for resource types FILE, PRINTER, REGKEY, DISK, COM, or SHARE.
capamsc141
The xaudit command adds entries in the system access control list (SACL). Each entry in this list causes an audit message to be logged when a specified user or group attempts to gain access to the resource. The xaudit- command removes entries from the SACL, and is valid for resource types FILE, PRINTER, REGKEY, DISK, COM, or SHARE.
This command has the following format:
xaudit classNameresourceName \
[failure(auditMode)] \ [gid(groupName)] \ [success(auditMode)] \ [uid(userName)]
- classNameSpecifies the name of the resource type to which the resource belongs.
- failure(auditMode)Logs unauthorized access attempts to the resource.Valid values forauditmodedepend on the resource type to which it belongs:Only NTFS files can have audit modes
- DISKandCOM: changePermissions, delete, modify, query, read, synchronize, takeOwnership.
- FILE: changePermissions, delete, execute, read, takeOwnership, and write.
- PRINTER: changePermissions, delete, print, and takeOwnership.
- REGKEY: delete, enumerate, link, notify, queryValue, readControl, setValue, subkey, and write.
noneandall. - gid(groupName)Specifies the groups whose access to the resource is being audited. When specifying more than one group, separate the names with spaces or commas.
- resourceNameSpecifies the name of the resource record whose system access control list (SACL) is being modified.
- success(auditMode)Logs authorized accesses to the resource.Valid values forauditmodedepend on the resource type to which it belongs:Only NTFS files can have audit modes
- DISKandCOM: changepermissions, delete, modify, query, read, synchronize, takeownership.
- FILE: changePermissions, delete, execute, read, takeOwnership, and write.
- PRINTER: changePermissions, delete, print, and takeOwnership.
- REGKEY: delete, enumerate, link, notify, queryValue, readControl, setValue, subkey, and write.
noneandall. - uid(userName)Specifies the user whose access to the resource is being audited. When specifying more than one user, separate the user names with spaces or commas. To specify all users who are defined in the Windows NT database, specify an asterisk (*) foruserName.