Solved

WMI access to audit policy info

Posted on 2013-06-03
6
1,721 Views
Last Modified: 2013-06-08
(Trying this again, now that I have better info.)
Windows 7, Local computer ...
I have set most of the audit policy settings. Auditpol confirms that they are set.
WMI Explorer, accessing RSOP_AuditPolicy in the root\rsop\computer name space, finds 0 instances. Likewise for other apparently useful classes. So here are my questions:
(1) Is the audit and security policy setting info accessible using WMI?
(2) If so, what do I have to do to get it?
0
Comment
Question by:Roland_F
  • 3
  • 3
6 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39218721
That is not a dynamic namespace so it's harder to have a tool like the Scriptomatic create a script for it, have a look at these:http://www.activexperts.com/activmonitor/windowsmanagement/scripts/grouppolicy/

strComputer = "."
Set objWMIService = GetObject _
    ("winmgmts:\\" & strComputer & "\root\rsop\computer")

Set colItems = objWMIService.ExecQuery("Select * from RSOP_AuditPolicy")

For Each objItem in colItems  
    Wscript.Echo "Category: " & objItem.Category
    Wscript.Echo "Precedence: " & objItem.Precedence
    Wscript.Echo "Failure: " & objItem.Failure
    Wscript.Echo "Success: " & objItem.Success
    Wscript.Echo
Next

Set objWMIService = GetObject _
    ("winmgmts:\\" & strComputer & "\root\rsop\computer")

Set colItems = objWMIService.ExecQuery("Select * from RSOP_GPLink")

For Each objItem in colItems
    Wscript.Echo "GPO: " & objItem.GPO
    Wscript.Echo "Applied Order: " & objItem.AppliedOrder
    Wscript.Echo "Enabled: " & objItem.Enabled
    Wscript.Echo "Link Order: " & objItem.LinkOrder
    Wscript.Echo "No Overrride: " & objItem.NoOverride
    Wscript.Echo "SOM Order: " & objItem.SOMOrder
    Wscript.Echo
Next	

Set objWMIService = GetObject _
    ("winmgmts:\\" & strComputer & "\root\rsop\computer")

Set colItems = objWMIService.ExecQuery("Select * from RSOP_GPO")

For Each objItem in colItems  
    Wscript.Echo "Name: " & objItem.Name
    Wscript.Echo "GUID Name: " & objItem.GUIDName
    Wscript.Echo "ID: " & objItem.ID
    Wscript.Echo "Access Denied: " & objItem.AccessDenied
    Wscript.Echo "Enabled: " & objItem.Enabled
    Wscript.Echo "File System path: " & objItem.FileSystemPath
    Wscript.Echo "Filter Allowed: " & objItem.FilterAllowed
    Wscript.Echo "Filter ID: " & objItem.FilterId
    Wscript.Echo "Version: " & objItem.Version
    Wscript.Echo
Next

Open in new window

-rich
0
 

Author Comment

by:Roland_F
ID: 39218949
Thanks, but I have no problem getting information from "RSOP_GPO". I can also get info from six or seven other classes, but not from anything that should be giving me audit policy settings. I suspect there is a security switch somewhere that says WMI may or may not have access to this info. That's what I'm asking about.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39219619
I see, workgroup or non-domain joined PC's won't have anything listed, the following script only outputs "Security Audit Policy Settings" even if the settings are set, they are not set using a GPO.Also it appears LOCAL accounts cannot query the RSOP namespace from my limited testing, but Domain accounts can...
Const FL_FORCE_CREATE_NAMESPACE = 4
strComputer = "."
Set locator = CreateObject("WbemScripting.SWbemLocator")
Set connection = locator.ConnectServer( strComputer, "root\rsop", null, null, null, null, 0, null)
Set provider = connection.Get("RsopLoggingModeProvider")
provider.RsopCreateSession FL_FORCE_CREATE_NAMESPACE, Null, namespaceLocation, hResult, eInfo
Set rsopProv = locator.ConnectServer _
    (strComputer, namespaceLocation & "\Computer", null, null, Null, Null, 0 , Null)
WScript.Echo "Security Audit Policy Settings"
Set colItems = rsopProv.ExecQuery("Select * from RSOP_AuditPolicy")
For Each objItem in colItems
    WScript.Echo String(50, "=")
    Wscript.Echo "Category: " & objItem.Category
    Wscript.Echo "Precedence: " & objItem.Precedence
    Wscript.Echo "Failure: " & objItem.Failure
    Wscript.Echo "Success: " & objItem.Success
Next
provider.RsopDeleteSession namespaceLocation, hResult

Open in new window

The code works on XP, vista, 2k3, 2k8 and win7 (as a domain user with local admin)
output is as collows:


Security Audit Policy Settings
==================================================
Category: AuditPolicyChange
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditProcessTracking
Precedence: 2
Failure: False
Success: False
==================================================
Category: AuditSystemEvents
Precedence: 2
Failure: False
Success: True
==================================================
Category: AuditPrivilegeUse
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditLogonEvents
Precedence: 2
Failure: True
Success: True
==================================================
Category: AuditDSAccess
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditAccountLogon
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditObjectAccess
Precedence: 2
Failure: True
Success: False
==================================================
Category: AuditObjectAccess
Precedence: 1
Failure: True
Success: False
==================================================
Category: AuditDSAccess
Precedence: 2
Failure: True
Success: True
==================================================
Category: AuditAccountManage
Precedence: 2
Failure: True
Success: True
==================================================
Category: AuditAccountManage
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditAccountLogon
Precedence: 2
Failure: True
Success: True
==================================================
Category: AuditLogonEvents
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditProcessTracking
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditPrivilegeUse
Precedence: 2
Failure: True
Success: False
==================================================
Category: AuditPolicyChange
Precedence: 2
Failure: True
Success: True
==================================================
Category: AuditSystemEvents
Precedence: 1
Failure: False
Success: True

Open in new window

-rich
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 

Author Comment

by:Roland_F
ID: 39222508
This is important because I am dealing with numerous server networks, most of which do not have Domain definitions. So:
(1) I can set audit policy on each machine.
(2) I can query the settings using Auditpol.
(3) The settings, however, do not exist in the RSOP name space
      or if they  do, there is no way that WMI can see them.
Is this correct? Because, if it is, I will have to abandon this approach and
try another.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 39222529
If it's not set using GPO's, then this approach will not work from my testing. Using Secpol.msc or Auditpol.exe will not populate the WMI query even when the namespace is valid. Parsing the output of "auditpol.exe /get /category:*" might be the better way.
-rich
0
 

Author Closing Comment

by:Roland_F
ID: 39232069
Not what I was hoping for, but at least you have managed to convince me that WMI is not the way to access audit policy information.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
How to record audio from input sources to your PC – connected devices, connected preamp to record vinyl discs, streaming media, that play through your audio card: Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10 – both 32 bit & 64.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question