You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

Add-NTFSAudit.md 7.5 KiB

5 years ago
3 years ago
5 years ago
5 years ago
5 years ago
5 years ago
5 years ago
3 years ago
5 years ago
3 years ago
5 years ago
3 years ago
5 years ago
3 years ago
5 years ago
3 years ago
5 years ago
3 years ago
5 years ago
3 years ago
5 years ago
3 years ago
5 years ago
3 years ago
5 years ago
3 years ago
5 years ago
3 years ago
5 years ago
3 years ago
5 years ago
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250
  1. ---
  2. external help file: NTFSSecurity.dll-Help.xml
  3. Module Name: ntfssecurity
  4. online version:
  5. schema: 2.0.0
  6. ---
  7. # Add-NTFSAudit
  8. ## SYNOPSIS
  9. Add auditing to a folder or file.
  10. ## SYNTAX
  11. ### PathComplex (Default)
  12. ```
  13. Add-NTFSAudit [-Path] <String[]> [-Account] <IdentityReference2[]> [-AccessRights] <FileSystemRights2>
  14. [-AuditFlags <AuditFlags>] [-InheritanceFlags <InheritanceFlags>] [-PropagationFlags <PropagationFlags>]
  15. [-PassThru] [<CommonParameters>]
  16. ```
  17. ### PathSimple
  18. ```
  19. Add-NTFSAudit [-Path] <String[]> [-Account] <IdentityReference2[]> [-AccessRights] <FileSystemRights2>
  20. [-AuditFlags <AuditFlags>] [-AppliesTo <ApplyTo>] [-PassThru] [<CommonParameters>]
  21. ```
  22. ### SDSimple
  23. ```
  24. Add-NTFSAudit [-SecurityDescriptor] <FileSystemSecurity2[]> [-Account] <IdentityReference2[]>
  25. [-AccessRights] <FileSystemRights2> [-AuditFlags <AuditFlags>] [-AppliesTo <ApplyTo>] [-PassThru]
  26. [<CommonParameters>]
  27. ```
  28. ### SDComplex
  29. ```
  30. Add-NTFSAudit [-SecurityDescriptor] <FileSystemSecurity2[]> [-Account] <IdentityReference2[]>
  31. [-AccessRights] <FileSystemRights2> [-AuditFlags <AuditFlags>] [-InheritanceFlags <InheritanceFlags>]
  32. [-PropagationFlags <PropagationFlags>] [-PassThru] [<CommonParameters>]
  33. ```
  34. ## DESCRIPTION
  35. You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log.
  36. To complete this procedure, you must be signed in as a member of the built-in Administrators group or have Manage auditing and security log rights.
  37. ## EXAMPLES
  38. ### Example 1
  39. ```PowerShell
  40. PS C:\> Add-NTFSAudit -Path C:\Data -Account 'NT AUTHORITY\Authenticated Users' -AcessRights generic All -AuditFlags Failure
  41. ```
  42. The above command adds auditing to the folder C:\Data on any failure.
  43. ## PARAMETERS
  44. ### -AccessRights
  45. The AccessRights parameter designates the permissions to monitor or audit. There are individual permissions as well as 'basic' permissions. See the below table for how the basic permissions permissions map the the advanced permissions in the advanced security window.
  46. ```yaml
  47. Type: FileSystemRights2
  48. Parameter Sets: (All)
  49. Aliases: FileSystemRights
  50. Accepted values: None, ReadData, ListDirectory, WriteData, CreateFiles, AppendData, CreateDirectories, ReadExtendedAttributes, WriteExtendedAttributes, ExecuteFile, Traverse, DeleteSubdirectoriesAndFiles, ReadAttributes, WriteAttributes, Write, Delete, ReadPermissions, Read, ReadAndExecute, Modify, ChangePermissions, TakeOwnership, Synchronize, FullControl, GenericAll, GenericExecute, GenericWrite, GenericRead
  51. Required: True
  52. Position: 2
  53. Default value: None
  54. Accept pipeline input: True (ByPropertyName)
  55. Accept wildcard characters: False
  56. ```
  57. ### -Account
  58. The Account parameter defines the account or group to apply the auditing to.
  59. ```yaml
  60. Type: IdentityReference2[]
  61. Parameter Sets: (All)
  62. Aliases: IdentityReference, ID
  63. Required: True
  64. Position: 2
  65. Default value: None
  66. Accept pipeline input: True (ByPropertyName)
  67. Accept wildcard characters: False
  68. ```
  69. ### -AppliesTo
  70. The AppliesTo parameter defines where the auditing will apply to and if there is any inheritance e.g "this folder only" or "this folder and subfolders".
  71. ```yaml
  72. Type: ApplyTo
  73. Parameter Sets: PathSimple, SDSimple
  74. Aliases:
  75. Accepted values: ThisFolderOnly, ThisFolderSubfoldersAndFiles, ThisFolderAndSubfolders, ThisFolderAndFiles, SubfoldersAndFilesOnly, SubfoldersOnly, FilesOnly, ThisFolderSubfoldersAndFilesOneLevel, ThisFolderAndSubfoldersOneLevel, ThisFolderAndFilesOneLevel, SubfoldersAndFilesOnlyOneLevel, SubfoldersOnlyOneLevel, FilesOnlyOneLevel
  76. Required: False
  77. Position: Named
  78. Default value: None
  79. Accept pipeline input: True (ByPropertyName)
  80. Accept wildcard characters: False
  81. ```
  82. ### -AuditFlags
  83. The AuditFlags parameter defines what types of events will be audited. If you would only like to audit denied access you would choose failure.
  84. ```yaml
  85. Type: AuditFlags
  86. Parameter Sets: (All)
  87. Aliases:
  88. Accepted values: None, Success, Failure
  89. Required: False
  90. Position: Named
  91. Default value: None
  92. Accept pipeline input: True (ByPropertyName)
  93. Accept wildcard characters: False
  94. ```
  95. ### -InheritanceFlags
  96. The InheritanceFlags parameter defines the inheritance of the auditing.
  97. ObjectInherit will apply the auditing to files and folders in the folder defined by the Path parameter.
  98. ContainerInherit will apply the auditing to subfolders but not files.
  99. There is more information on Microsoft Docs [here](https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ms229747(v=vs.100)?redirectedfrom=MSDN)
  100. ```yaml
  101. Type: InheritanceFlags
  102. Parameter Sets: PathComplex, SDComplex
  103. Aliases:
  104. Accepted values: None, ContainerInherit, ObjectInherit
  105. Required: False
  106. Position: Named
  107. Default value: None
  108. Accept pipeline input: True (ByPropertyName)
  109. Accept wildcard characters: False
  110. ```
  111. ### -PassThru
  112. The PassThru parameter will return the new auditing as a table. If the PassThru parameter is omitted, there is no information returned if the operation was successful.
  113. ```yaml
  114. Type: SwitchParameter
  115. Parameter Sets: (All)
  116. Aliases:
  117. Required: False
  118. Position: Named
  119. Default value: None
  120. Accept pipeline input: False
  121. Accept wildcard characters: False
  122. ```
  123. ### -Path
  124. The Path parameter defines where the file or container exists to apply the auditing to.
  125. ```yaml
  126. Type: String[]
  127. Parameter Sets: PathComplex, PathSimple
  128. Aliases: FullName
  129. Required: True
  130. Position: 1
  131. Default value: None
  132. Accept pipeline input: True (ByPropertyName, ByValue)
  133. Accept wildcard characters: False
  134. ```
  135. ### -PropagationFlags
  136. The PropagationFlags parameter defines how the auditing is propagated to child objects.
  137. Inherit specifies that the auditing is propagated only to child objects. This includes both folder and file child objects.
  138. NoPropagateInherit specifies that the auditing is not propagated to child objects.
  139. None specifies that no inheritance flags are set.
  140. ```yaml
  141. Type: PropagationFlags
  142. Parameter Sets: PathComplex, SDComplex
  143. Aliases:
  144. Accepted values: None, NoPropagateInherit, InheritOnly
  145. Required: False
  146. Position: Named
  147. Default value: None
  148. Accept pipeline input: True (ByPropertyName)
  149. Accept wildcard characters: False
  150. ```
  151. ### -SecurityDescriptor
  152. The SecurityDescriptor parameter allows passing an security descriptor or an array or security descriptors.
  153. A security descriptor contains information about the owner of the object, and the primary group of an object. The security descriptor also contains two access control lists (ACL). The first list is called the discretionary access control lists (DACL), and describes who should have access to an object and what type of access to grant. The second list is called the system access control lists (SACL) and defines what type of auditing to record for an object.
  154. ```yaml
  155. Type: FileSystemSecurity2[]
  156. Parameter Sets: SDSimple, SDComplex
  157. Aliases:
  158. Required: True
  159. Position: 1
  160. Default value: None
  161. Accept pipeline input: True (ByPropertyName, ByValue)
  162. Accept wildcard characters: False
  163. ```
  164. ### CommonParameters
  165. This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
  166. ## INPUTS
  167. ### System.String[]
  168. ### Security2.FileSystemSecurity2[]
  169. ### Security2.IdentityReference2[]
  170. ### Security2.FileSystemRights2
  171. ### System.Security.AccessControl.AuditFlags
  172. ### System.Security.AccessControl.InheritanceFlags
  173. ### System.Security.AccessControl.PropagationFlags
  174. ### Security2.ApplyTo
  175. ## OUTPUTS
  176. ### Security2.FileSystemAccessRule2
  177. ## NOTES
  178. ## RELATED LINKS