Script to enable auditing on all client PCs in a Domai

Discussion in 'Windows Server' started by Laljeev, Apr 19, 2009.

  1. Laljeev

    Laljeev Guest

    Hi

    Can Any one help me to write a script to audit C: drive of all my client PCs
    which are windows 2003 Domain members. We configured GPO for auditing and the
    below URL gives me how to check existng SACL,
    http://msdn.microsoft.com/en-us/library/aa393592.aspx

    But to add a new entry in auditing tab of any folder can any one help me to
    complete the script?

    Thanks in advance
     
    Laljeev, Apr 19, 2009
    #1
    1. Advertisements

  2. Hello Laljeev,

    What do you like to audit and why the complete c-drive? How will you monitor
    that amount of data?

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Apr 19, 2009
    #2
    1. Advertisements

  3. Laljeev

    Marcin Guest

    As Meinolf has pointed out, this sounds like an exercise in futility (with
    negative performance implications).
    Your primary line of defense should be based on keeping default permissions
    in place and not including regular users in any of privileged groups. If
    this does not suffice, you migth consider applying one of predefined
    security templates
    (http://technet.microsoft.com/en-us/library/cc787720.aspx). Just keep in
    mind the implications outlined in this article (as well as in
    http://support.microsoft.com/kb/885409)

    hth
    Marcin
     
    Marcin, Apr 19, 2009
    #3
  4. Hi,

    Thank you for posting here.

    According to your description, I understand that:

    You would like to write a script to audit C: drive of all clients PC in
    Domain.

    If I have misunderstood the problem, please don't hesitate to let me know.

    As Meinolf and Marcin suggested, it's not suggested to audit the whole
    Drive C: as there are too many access activities.

    If you have to configure the audit, there is a simple way using GPO to add
    SACL. To do so:

    Create a new GPO for clients PCs in Domain. Edit it, navigate to:

    [Computer Configuration\Policies\Windows Settings\Security Settings\File
    System]

    Right-click File System, choose Add file, choose Drive C:, click OK. On
    Database Security for %systemdrive%, click Advanced button, switch to
    Auditing tab, click Add to add user to SACL.

    If you would like to use script to edit SACL, you can leverage PsExec and
    SubInacl to run it on every clients PC or add subinacl to computer startup
    script.

    1. Use PsExec and SubInacl:

    Download PsExec on DC and run the command against every client.
    PsExec -c SubInacl /file c:\ /sgrant=domain\username=Perms

    2. Create a new GPO for clients, create a computer startup BAT file which
    contains "SubInacl /file c:\ /sgrant=domain\username=Perms".

    You can download those two programs from the link below.
    http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
    http://www.microsoft.com/downloads/details.aspx?FamilyID=E8BA3E56-D8FE-4A91-
    93CF-ED6985E3927B&displaylang=en

    If you have any difficulties when you customizing the scripts, I suggest
    that you initial a new post in The Official Scripting Guys Forum! to get
    further support there. They are the best resource for scritping related
    problems.

    For your convenience, I have list the link as followed.

    The Official Scripting Guys Forum!
    http://social.microsoft.com/Forums/en-US/ITCG/thread/34ed6cba-7698-4aa8-b13c
    -8693081296ef

    Sincerely,
    Mervyn Zhang
    Microsoft Online Community Support

    ==================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Mervyn Zhang [MSFT], Apr 20, 2009
    #4
  5. Hi,

    Would you mind letting me know the result of the suggestions? If you need
    further assistance, feel free to let me know. I will be more than happy to
    be of assistance.

    Have a great day!

    Sincerely,
    Mervyn Zhang
    Microsoft Online Community Support

    ==================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Mervyn Zhang [MSFT], Apr 23, 2009
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.