$Path = “E:\Public”
$AuditChangesRules = New-Object System.Security.AccessControl.FileSystemAuditRule(‘Everyone’, ‘Delete,DeleteSubdirectoriesAndFiles’, ‘none’, ‘none’, ‘Success’)
$Acl = Get-Acl -Path $Path
$Acl.AddAuditRule($AuditChangesRules)
Set-Acl -Path $Path -AclObject $Acl
或者
$path 参数指定需要设置审核策略的文件或文件夹
$computer = gc env:computername
$path = "C:\New Folder"
$user = "everyone"
$path = $path.replace("\", "\\")
$SD = ([WMIClass] "Win32_SecurityDescriptor").CreateInstance()
$ace = ([WMIClass] "Win32_ace").CreateInstance()
$Trustee = ([WMIClass] "Win32_Trustee").CreateInstance()
$SID = (new-object security.principal.ntaccount $user).translate([security.principal.securityidentifier])
[byte[]] $SIDArray = ,0 * $SID.BinaryLength
$SID.GetBinaryForm($SIDArray,0)
$Trustee.Name = $user
$Trustee.SID = $SIDArray
$ace.AccessMask = [System.Security.AccessControl.FileSystemRights]"Modify"
$ace.AceFlags = "0x67"
$ace.AceType = 2
$ace.Trustee = $trustee
$SD.SACL = $ace
$SD.ControlFlags="0x10"
$wPrivilege = gwmi Win32_LogicalFileSecuritySetting -computername $computer -filter "path='$path'"
$wPrivilege.psbase.Scope.Options.EnablePrivileges = $true
$wPrivilege.setsecuritydescriptor($SD)参考:
https://blogs.technet.microsoft.com/bulentozkir/2009/12/26/sample-powershell-code-to-enable-auditing-on-a-folder/
https://docs.microsoft.com/es-es/dotnet/api/system.security.accesscontrol.aceflags?view=netframework-4.7.2
https://docs.microsoft.com/en-us/dotnet/api/system.security.accesscontrol.acetype?view=netframework-4.7.2
https://woshub.com/tracking-files-deletion-using-audit-policy-and-mssql
打开组策略中的文件访问审计
使用secedit 或 auditpol 命令
1. secedit
导出策略
secedit /export /cfg gp.inf /log 1.log
修改审核对象访问为成功和失败:
echo [version] > 1.inf
echo signature="$CHICAGO$" >> 1.inf
echo [Event Audit] >> 1.inf
echo AuditObjectAccess=3 >> 1.inf
secedit /configure /db 1.sdb /cfg 1.inf /log 1.log /quiet
del 1.*
gpupdate /force
