Solved

WMI access to audit policy info

Posted on 2013-06-03
6
1,655 Views
Last Modified: 2013-06-08
(Trying this again, now that I have better info.)
Windows 7, Local computer ...
I have set most of the audit policy settings. Auditpol confirms that they are set.
WMI Explorer, accessing RSOP_AuditPolicy in the root\rsop\computer name space, finds 0 instances. Likewise for other apparently useful classes. So here are my questions:
(1) Is the audit and security policy setting info accessible using WMI?
(2) If so, what do I have to do to get it?
0
Comment
Question by:Roland_F
  • 3
  • 3
6 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39218721
That is not a dynamic namespace so it's harder to have a tool like the Scriptomatic create a script for it, have a look at these:http://www.activexperts.com/activmonitor/windowsmanagement/scripts/grouppolicy/

strComputer = "."
Set objWMIService = GetObject _
    ("winmgmts:\\" & strComputer & "\root\rsop\computer")

Set colItems = objWMIService.ExecQuery("Select * from RSOP_AuditPolicy")

For Each objItem in colItems  
    Wscript.Echo "Category: " & objItem.Category
    Wscript.Echo "Precedence: " & objItem.Precedence
    Wscript.Echo "Failure: " & objItem.Failure
    Wscript.Echo "Success: " & objItem.Success
    Wscript.Echo
Next

Set objWMIService = GetObject _
    ("winmgmts:\\" & strComputer & "\root\rsop\computer")

Set colItems = objWMIService.ExecQuery("Select * from RSOP_GPLink")

For Each objItem in colItems
    Wscript.Echo "GPO: " & objItem.GPO
    Wscript.Echo "Applied Order: " & objItem.AppliedOrder
    Wscript.Echo "Enabled: " & objItem.Enabled
    Wscript.Echo "Link Order: " & objItem.LinkOrder
    Wscript.Echo "No Overrride: " & objItem.NoOverride
    Wscript.Echo "SOM Order: " & objItem.SOMOrder
    Wscript.Echo
Next	

Set objWMIService = GetObject _
    ("winmgmts:\\" & strComputer & "\root\rsop\computer")

Set colItems = objWMIService.ExecQuery("Select * from RSOP_GPO")

For Each objItem in colItems  
    Wscript.Echo "Name: " & objItem.Name
    Wscript.Echo "GUID Name: " & objItem.GUIDName
    Wscript.Echo "ID: " & objItem.ID
    Wscript.Echo "Access Denied: " & objItem.AccessDenied
    Wscript.Echo "Enabled: " & objItem.Enabled
    Wscript.Echo "File System path: " & objItem.FileSystemPath
    Wscript.Echo "Filter Allowed: " & objItem.FilterAllowed
    Wscript.Echo "Filter ID: " & objItem.FilterId
    Wscript.Echo "Version: " & objItem.Version
    Wscript.Echo
Next

Open in new window

-rich
0
 

Author Comment

by:Roland_F
ID: 39218949
Thanks, but I have no problem getting information from "RSOP_GPO". I can also get info from six or seven other classes, but not from anything that should be giving me audit policy settings. I suspect there is a security switch somewhere that says WMI may or may not have access to this info. That's what I'm asking about.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39219619
I see, workgroup or non-domain joined PC's won't have anything listed, the following script only outputs "Security Audit Policy Settings" even if the settings are set, they are not set using a GPO.Also it appears LOCAL accounts cannot query the RSOP namespace from my limited testing, but Domain accounts can...
Const FL_FORCE_CREATE_NAMESPACE = 4
strComputer = "."
Set locator = CreateObject("WbemScripting.SWbemLocator")
Set connection = locator.ConnectServer( strComputer, "root\rsop", null, null, null, null, 0, null)
Set provider = connection.Get("RsopLoggingModeProvider")
provider.RsopCreateSession FL_FORCE_CREATE_NAMESPACE, Null, namespaceLocation, hResult, eInfo
Set rsopProv = locator.ConnectServer _
    (strComputer, namespaceLocation & "\Computer", null, null, Null, Null, 0 , Null)
WScript.Echo "Security Audit Policy Settings"
Set colItems = rsopProv.ExecQuery("Select * from RSOP_AuditPolicy")
For Each objItem in colItems
    WScript.Echo String(50, "=")
    Wscript.Echo "Category: " & objItem.Category
    Wscript.Echo "Precedence: " & objItem.Precedence
    Wscript.Echo "Failure: " & objItem.Failure
    Wscript.Echo "Success: " & objItem.Success
Next
provider.RsopDeleteSession namespaceLocation, hResult

Open in new window

The code works on XP, vista, 2k3, 2k8 and win7 (as a domain user with local admin)
output is as collows:


Security Audit Policy Settings
==================================================
Category: AuditPolicyChange
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditProcessTracking
Precedence: 2
Failure: False
Success: False
==================================================
Category: AuditSystemEvents
Precedence: 2
Failure: False
Success: True
==================================================
Category: AuditPrivilegeUse
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditLogonEvents
Precedence: 2
Failure: True
Success: True
==================================================
Category: AuditDSAccess
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditAccountLogon
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditObjectAccess
Precedence: 2
Failure: True
Success: False
==================================================
Category: AuditObjectAccess
Precedence: 1
Failure: True
Success: False
==================================================
Category: AuditDSAccess
Precedence: 2
Failure: True
Success: True
==================================================
Category: AuditAccountManage
Precedence: 2
Failure: True
Success: True
==================================================
Category: AuditAccountManage
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditAccountLogon
Precedence: 2
Failure: True
Success: True
==================================================
Category: AuditLogonEvents
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditProcessTracking
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditPrivilegeUse
Precedence: 2
Failure: True
Success: False
==================================================
Category: AuditPolicyChange
Precedence: 2
Failure: True
Success: True
==================================================
Category: AuditSystemEvents
Precedence: 1
Failure: False
Success: True

Open in new window

-rich
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:Roland_F
ID: 39222508
This is important because I am dealing with numerous server networks, most of which do not have Domain definitions. So:
(1) I can set audit policy on each machine.
(2) I can query the settings using Auditpol.
(3) The settings, however, do not exist in the RSOP name space
      or if they  do, there is no way that WMI can see them.
Is this correct? Because, if it is, I will have to abandon this approach and
try another.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 39222529
If it's not set using GPO's, then this approach will not work from my testing. Using Secpol.msc or Auditpol.exe will not populate the WMI query even when the namespace is valid. Parsing the output of "auditpol.exe /get /category:*" might be the better way.
-rich
0
 

Author Closing Comment

by:Roland_F
ID: 39232069
Not what I was hoping for, but at least you have managed to convince me that WMI is not the way to access audit policy information.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
On some Windows 7 (SP1) computers, Windows Update becomes super slow even the computer is reasonably fast.  There's one solution that seemed to have worked well for me (after trying a few other suggested solutions).
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now