How can I set auditing for a folder in Windows programatically?

Posted on 2011-04-25
Last Modified: 2012-06-27
I need to set auditing on a folder for everyone, failure, full.

The code below seemed promising, but fails returing the code "1314."

How can I set the SACL via script?  I am not married to the attached code, but it demonstrates a flow that one might expect to work.

I have found various ways to write the DACL, but none seem to convert directly to SACL.


Set wmiFileSecSetting = GetObject("winmgmts:Win32_LogicalFileSecuritySetting.path='c:\\test'")
'Obtain existing security descriptor for folder
RetVal = wmiFileSecSetting.GetSecurityDescriptor(wmiSecDes)
If Err <> 0 Then
    WScript.Echo "GetSecurityDescriptor failed" _
    & VBCRLF & Err.Number & VBCRLF & Err.Description
    WScript.Echo "GetSecurityDescriptor succeeded"
End If

varSACL = wmiSecDes.SACL

Set objwmi = getobject("winmgmts:\\.\root\cimv2")
Set objaceclass = objwmi.get("win32_ace")
Set objace = objaceclass.spawninstance_()
Set objtrusteeclass = objwmi.Get("Win32_Trustee")
Set objtrustee1 = objtrusteeclass.spawninstance_() = "Everyone"
objtrustee1.sidstring = "S-1-1-0"
objace.accessmask = 983551
objace.acetype = 2
objace.aceflags = 128
objace.Trustee = objtrustee1
wmiSecDes.sacl = objace
If wmifilesecsetting.setsecuritydescriptor(wmisecdes) = 0 Then
Wscript.echo "pass"
Wscript.echo "Fail " & wmifilesecsetting.setsecuritydescriptor(wmisecdes)
End If

Open in new window

Question by:jrslim
    LVL 41

    Assisted Solution

    Take a look at this example...   It differs from yours only in the fact that it treats the SACL as an array

    Author Comment

    Thanks Grave, but that method fails as well.

    Accepted Solution

    I got it.

    Started with the code refereenced by grave.

    Added impersonate to the GetObject statements which enabled the seSecurityPrivilege and allowed modification of the SACL.

    Partial credit to grave for directing me back to almost correct code.

    ' Connect to WMI and get the file security 
    ' object for the test directory 
    Set wmiFileSecSetting = GetObject ( _ 
    "winmgmts:{impersonationLevel=impersonate,(Security)}!Win32_LogicalFileSecuritySetting." & _ 
    ' Obtain existing security descriptor for folder 
    RetVal = wmiFileSecSetting.GetSecurityDescriptor(wmiSecurityDescriptor) 
    If Err <> 0 Then 
    WScript.Echo "GetSecurityDescriptor failed" & _ 
    VBCRLF & Err.Number & VBCRLF & Err.Description 
    End If 
    dim oACE, oTrustee 
    set oACE=GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!Win32_ACE") 
    set oTrustee=GetObject("winmgmts:{impersonationLevel=impersonate,(Security)}!Win32_Trustee") 
    'Set Trustee Attributes 
    ' Set ACE Attributes 
    'Add ACE to Security Descriptor 
    if isarray(wmiSecurityDescriptor.SACL) then 
    end if 
    'Print out Aces for test 
    for each wmiAce in wmiSecurityDescriptor.SACL 
    Set Trustee = wmiAce.Trustee 
    wscript.echo "Trustee Domain: " & Trustee.Domain 
    wscript.echo "Trustee Name: " & Trustee.Name 
    wscript.echo "Trustee SIDString " & Trustee.SIDString 
    wscript.echo "Access Type " & wmiAce.AceType 
    wscript.echo "Access Flags " & wmiAce.AceFlags 
    wscript.echo "Access Mask: " & wmiAce.AccessMask 
    ' Call the Win32_LogicalFileSecuritySetting. 
    ' SetSecurityDescriptor method 
    ' to write the new security descriptor. 
    RetVal = wmiFileSecSetting. _ 
    Wscript.Echo "ReturnValue is: " & RetVal

    Open in new window


    Author Closing Comment

    Discovered my own solution.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Deploying a Microsoft Access application in a Citrix environment is not difficult but takes a few steps. However, Citrix system people are often of little help, as they typically know next to nothing about Access. The script provided here will take …
    Whether you’re a college noob or a soon-to-be pro, these tips are sure to help you in your journey to becoming a programming ninja and stand out from the crowd.
    This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
    In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now