The Windows Club

What is AuditPol in Windows 10/8/7 and how to enable it

Windows 10/8/7, Windows Vista, Windows Server 2008, Windows Server 2008 R2 include a command line tool called Audit Policy Program, AuditPol.exe, situated in the System32 folder that allows you to manage and audit policy sub-category settings in a more precise way.

Setting audit policy at the category level will override the new subcategory audit policy feature. A new registry value introduced in Windows Vista, SCENoApplyLegacyAuditPolicy, allows audit policy to be managed by using subcategories without requiring a change to Group Policy. This registry value can be set to prevent the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool.

AuditPol in Windows

If you wish to enable this option, open Local Security Policy > Local Policies > Security Options.

Now in the right panel, double click on Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings. Select Enabled > Apply/OK.

AuditPol has several switches that allows you to display, set, clear, backup and restore settings.

Specially, it can be used to:

If you open a command prompt as an administrator, you can use AuditPol to view the defined auditing settings by running:

auditpol /get /category:*

A point to be noted is that while viewing audit policy settings with AuditPol and the Local Security Policy viz secpol.msc, the settings may show different results. KB2573113 explains the reason for this:

AuditPol directly calls authorization APIs to implement the changes to the granular audit policy.  Secpol.msc manipulates the Local Group Policy Object, which results in writing the changes to system32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\Audit.csv.  The settings saved to the .csv file are not applied directly to the system at the time of modification, but are instead written to the file and read later by the client-side extension (CSE).  At the next group policy refresh cycle, the CSE applies the modifications that are present in the .csv file. Secpol.msc displays what is set in the local GPO. There is no “effective settings” view in secpol.msc that will merge granular AuditPol settings and what is defined locally as seen with secpol.msc.

For more details visit AuditPol on TechNet.