Solved

WMI access to audit policy info

Posted on 2013-06-03
6
1,627 Views
Last Modified: 2013-06-08
(Trying this again, now that I have better info.)
Windows 7, Local computer ...
I have set most of the audit policy settings. Auditpol confirms that they are set.
WMI Explorer, accessing RSOP_AuditPolicy in the root\rsop\computer name space, finds 0 instances. Likewise for other apparently useful classes. So here are my questions:
(1) Is the audit and security policy setting info accessible using WMI?
(2) If so, what do I have to do to get it?
0
Comment
Question by:Roland_F
  • 3
  • 3
6 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39218721
That is not a dynamic namespace so it's harder to have a tool like the Scriptomatic create a script for it, have a look at these:http://www.activexperts.com/activmonitor/windowsmanagement/scripts/grouppolicy/

strComputer = "."
Set objWMIService = GetObject _
    ("winmgmts:\\" & strComputer & "\root\rsop\computer")

Set colItems = objWMIService.ExecQuery("Select * from RSOP_AuditPolicy")

For Each objItem in colItems  
    Wscript.Echo "Category: " & objItem.Category
    Wscript.Echo "Precedence: " & objItem.Precedence
    Wscript.Echo "Failure: " & objItem.Failure
    Wscript.Echo "Success: " & objItem.Success
    Wscript.Echo
Next

Set objWMIService = GetObject _
    ("winmgmts:\\" & strComputer & "\root\rsop\computer")

Set colItems = objWMIService.ExecQuery("Select * from RSOP_GPLink")

For Each objItem in colItems
    Wscript.Echo "GPO: " & objItem.GPO
    Wscript.Echo "Applied Order: " & objItem.AppliedOrder
    Wscript.Echo "Enabled: " & objItem.Enabled
    Wscript.Echo "Link Order: " & objItem.LinkOrder
    Wscript.Echo "No Overrride: " & objItem.NoOverride
    Wscript.Echo "SOM Order: " & objItem.SOMOrder
    Wscript.Echo
Next	

Set objWMIService = GetObject _
    ("winmgmts:\\" & strComputer & "\root\rsop\computer")

Set colItems = objWMIService.ExecQuery("Select * from RSOP_GPO")

For Each objItem in colItems  
    Wscript.Echo "Name: " & objItem.Name
    Wscript.Echo "GUID Name: " & objItem.GUIDName
    Wscript.Echo "ID: " & objItem.ID
    Wscript.Echo "Access Denied: " & objItem.AccessDenied
    Wscript.Echo "Enabled: " & objItem.Enabled
    Wscript.Echo "File System path: " & objItem.FileSystemPath
    Wscript.Echo "Filter Allowed: " & objItem.FilterAllowed
    Wscript.Echo "Filter ID: " & objItem.FilterId
    Wscript.Echo "Version: " & objItem.Version
    Wscript.Echo
Next

Open in new window

-rich
0
 

Author Comment

by:Roland_F
ID: 39218949
Thanks, but I have no problem getting information from "RSOP_GPO". I can also get info from six or seven other classes, but not from anything that should be giving me audit policy settings. I suspect there is a security switch somewhere that says WMI may or may not have access to this info. That's what I'm asking about.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39219619
I see, workgroup or non-domain joined PC's won't have anything listed, the following script only outputs "Security Audit Policy Settings" even if the settings are set, they are not set using a GPO.Also it appears LOCAL accounts cannot query the RSOP namespace from my limited testing, but Domain accounts can...
Const FL_FORCE_CREATE_NAMESPACE = 4
strComputer = "."
Set locator = CreateObject("WbemScripting.SWbemLocator")
Set connection = locator.ConnectServer( strComputer, "root\rsop", null, null, null, null, 0, null)
Set provider = connection.Get("RsopLoggingModeProvider")
provider.RsopCreateSession FL_FORCE_CREATE_NAMESPACE, Null, namespaceLocation, hResult, eInfo
Set rsopProv = locator.ConnectServer _
    (strComputer, namespaceLocation & "\Computer", null, null, Null, Null, 0 , Null)
WScript.Echo "Security Audit Policy Settings"
Set colItems = rsopProv.ExecQuery("Select * from RSOP_AuditPolicy")
For Each objItem in colItems
    WScript.Echo String(50, "=")
    Wscript.Echo "Category: " & objItem.Category
    Wscript.Echo "Precedence: " & objItem.Precedence
    Wscript.Echo "Failure: " & objItem.Failure
    Wscript.Echo "Success: " & objItem.Success
Next
provider.RsopDeleteSession namespaceLocation, hResult

Open in new window

The code works on XP, vista, 2k3, 2k8 and win7 (as a domain user with local admin)
output is as collows:


Security Audit Policy Settings
==================================================
Category: AuditPolicyChange
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditProcessTracking
Precedence: 2
Failure: False
Success: False
==================================================
Category: AuditSystemEvents
Precedence: 2
Failure: False
Success: True
==================================================
Category: AuditPrivilegeUse
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditLogonEvents
Precedence: 2
Failure: True
Success: True
==================================================
Category: AuditDSAccess
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditAccountLogon
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditObjectAccess
Precedence: 2
Failure: True
Success: False
==================================================
Category: AuditObjectAccess
Precedence: 1
Failure: True
Success: False
==================================================
Category: AuditDSAccess
Precedence: 2
Failure: True
Success: True
==================================================
Category: AuditAccountManage
Precedence: 2
Failure: True
Success: True
==================================================
Category: AuditAccountManage
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditAccountLogon
Precedence: 2
Failure: True
Success: True
==================================================
Category: AuditLogonEvents
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditProcessTracking
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditPrivilegeUse
Precedence: 2
Failure: True
Success: False
==================================================
Category: AuditPolicyChange
Precedence: 2
Failure: True
Success: True
==================================================
Category: AuditSystemEvents
Precedence: 1
Failure: False
Success: True

Open in new window

-rich
0
Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

 

Author Comment

by:Roland_F
ID: 39222508
This is important because I am dealing with numerous server networks, most of which do not have Domain definitions. So:
(1) I can set audit policy on each machine.
(2) I can query the settings using Auditpol.
(3) The settings, however, do not exist in the RSOP name space
      or if they  do, there is no way that WMI can see them.
Is this correct? Because, if it is, I will have to abandon this approach and
try another.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 39222529
If it's not set using GPO's, then this approach will not work from my testing. Using Secpol.msc or Auditpol.exe will not populate the WMI query even when the namespace is valid. Parsing the output of "auditpol.exe /get /category:*" might be the better way.
-rich
0
 

Author Closing Comment

by:Roland_F
ID: 39232069
Not what I was hoping for, but at least you have managed to convince me that WMI is not the way to access audit policy information.
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

This is an article about Leadership and accepting and adapting to new challenges. It focuses mostly on upgrading to Windows 10.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now