WMI access to audit policy info

(Trying this again, now that I have better info.)
Windows 7, Local computer ...
I have set most of the audit policy settings. Auditpol confirms that they are set.
WMI Explorer, accessing RSOP_AuditPolicy in the root\rsop\computer name space, finds 0 instances. Likewise for other apparently useful classes. So here are my questions:
(1) Is the audit and security policy setting info accessible using WMI?
(2) If so, what do I have to do to get it?
Roland_FAsked:
Who is Participating?
 
Rich RumbleConnect With a Mentor Security SamuraiCommented:
If it's not set using GPO's, then this approach will not work from my testing. Using Secpol.msc or Auditpol.exe will not populate the WMI query even when the namespace is valid. Parsing the output of "auditpol.exe /get /category:*" might be the better way.
-rich
0
 
Rich RumbleSecurity SamuraiCommented:
That is not a dynamic namespace so it's harder to have a tool like the Scriptomatic create a script for it, have a look at these:http://www.activexperts.com/activmonitor/windowsmanagement/scripts/grouppolicy/

strComputer = "."
Set objWMIService = GetObject _
    ("winmgmts:\\" & strComputer & "\root\rsop\computer")

Set colItems = objWMIService.ExecQuery("Select * from RSOP_AuditPolicy")

For Each objItem in colItems  
    Wscript.Echo "Category: " & objItem.Category
    Wscript.Echo "Precedence: " & objItem.Precedence
    Wscript.Echo "Failure: " & objItem.Failure
    Wscript.Echo "Success: " & objItem.Success
    Wscript.Echo
Next

Set objWMIService = GetObject _
    ("winmgmts:\\" & strComputer & "\root\rsop\computer")

Set colItems = objWMIService.ExecQuery("Select * from RSOP_GPLink")

For Each objItem in colItems
    Wscript.Echo "GPO: " & objItem.GPO
    Wscript.Echo "Applied Order: " & objItem.AppliedOrder
    Wscript.Echo "Enabled: " & objItem.Enabled
    Wscript.Echo "Link Order: " & objItem.LinkOrder
    Wscript.Echo "No Overrride: " & objItem.NoOverride
    Wscript.Echo "SOM Order: " & objItem.SOMOrder
    Wscript.Echo
Next	

Set objWMIService = GetObject _
    ("winmgmts:\\" & strComputer & "\root\rsop\computer")

Set colItems = objWMIService.ExecQuery("Select * from RSOP_GPO")

For Each objItem in colItems  
    Wscript.Echo "Name: " & objItem.Name
    Wscript.Echo "GUID Name: " & objItem.GUIDName
    Wscript.Echo "ID: " & objItem.ID
    Wscript.Echo "Access Denied: " & objItem.AccessDenied
    Wscript.Echo "Enabled: " & objItem.Enabled
    Wscript.Echo "File System path: " & objItem.FileSystemPath
    Wscript.Echo "Filter Allowed: " & objItem.FilterAllowed
    Wscript.Echo "Filter ID: " & objItem.FilterId
    Wscript.Echo "Version: " & objItem.Version
    Wscript.Echo
Next

Open in new window

-rich
0
 
Roland_FAuthor Commented:
Thanks, but I have no problem getting information from "RSOP_GPO". I can also get info from six or seven other classes, but not from anything that should be giving me audit policy settings. I suspect there is a security switch somewhere that says WMI may or may not have access to this info. That's what I'm asking about.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Rich RumbleSecurity SamuraiCommented:
I see, workgroup or non-domain joined PC's won't have anything listed, the following script only outputs "Security Audit Policy Settings" even if the settings are set, they are not set using a GPO.Also it appears LOCAL accounts cannot query the RSOP namespace from my limited testing, but Domain accounts can...
Const FL_FORCE_CREATE_NAMESPACE = 4
strComputer = "."
Set locator = CreateObject("WbemScripting.SWbemLocator")
Set connection = locator.ConnectServer( strComputer, "root\rsop", null, null, null, null, 0, null)
Set provider = connection.Get("RsopLoggingModeProvider")
provider.RsopCreateSession FL_FORCE_CREATE_NAMESPACE, Null, namespaceLocation, hResult, eInfo
Set rsopProv = locator.ConnectServer _
    (strComputer, namespaceLocation & "\Computer", null, null, Null, Null, 0 , Null)
WScript.Echo "Security Audit Policy Settings"
Set colItems = rsopProv.ExecQuery("Select * from RSOP_AuditPolicy")
For Each objItem in colItems
    WScript.Echo String(50, "=")
    Wscript.Echo "Category: " & objItem.Category
    Wscript.Echo "Precedence: " & objItem.Precedence
    Wscript.Echo "Failure: " & objItem.Failure
    Wscript.Echo "Success: " & objItem.Success
Next
provider.RsopDeleteSession namespaceLocation, hResult

Open in new window

The code works on XP, vista, 2k3, 2k8 and win7 (as a domain user with local admin)
output is as collows:


Security Audit Policy Settings
==================================================
Category: AuditPolicyChange
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditProcessTracking
Precedence: 2
Failure: False
Success: False
==================================================
Category: AuditSystemEvents
Precedence: 2
Failure: False
Success: True
==================================================
Category: AuditPrivilegeUse
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditLogonEvents
Precedence: 2
Failure: True
Success: True
==================================================
Category: AuditDSAccess
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditAccountLogon
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditObjectAccess
Precedence: 2
Failure: True
Success: False
==================================================
Category: AuditObjectAccess
Precedence: 1
Failure: True
Success: False
==================================================
Category: AuditDSAccess
Precedence: 2
Failure: True
Success: True
==================================================
Category: AuditAccountManage
Precedence: 2
Failure: True
Success: True
==================================================
Category: AuditAccountManage
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditAccountLogon
Precedence: 2
Failure: True
Success: True
==================================================
Category: AuditLogonEvents
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditProcessTracking
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditPrivilegeUse
Precedence: 2
Failure: True
Success: False
==================================================
Category: AuditPolicyChange
Precedence: 2
Failure: True
Success: True
==================================================
Category: AuditSystemEvents
Precedence: 1
Failure: False
Success: True

Open in new window

-rich
0
 
Roland_FAuthor Commented:
This is important because I am dealing with numerous server networks, most of which do not have Domain definitions. So:
(1) I can set audit policy on each machine.
(2) I can query the settings using Auditpol.
(3) The settings, however, do not exist in the RSOP name space
      or if they  do, there is no way that WMI can see them.
Is this correct? Because, if it is, I will have to abandon this approach and
try another.
0
 
Roland_FAuthor Commented:
Not what I was hoping for, but at least you have managed to convince me that WMI is not the way to access audit policy information.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.