Solved

WMI access to audit policy info

Posted on 2013-06-03
6
1,814 Views
Last Modified: 2013-06-08
(Trying this again, now that I have better info.)
Windows 7, Local computer ...
I have set most of the audit policy settings. Auditpol confirms that they are set.
WMI Explorer, accessing RSOP_AuditPolicy in the root\rsop\computer name space, finds 0 instances. Likewise for other apparently useful classes. So here are my questions:
(1) Is the audit and security policy setting info accessible using WMI?
(2) If so, what do I have to do to get it?
0
Comment
Question by:Roland_F
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39218721
That is not a dynamic namespace so it's harder to have a tool like the Scriptomatic create a script for it, have a look at these:http://www.activexperts.com/activmonitor/windowsmanagement/scripts/grouppolicy/

strComputer = "."
Set objWMIService = GetObject _
    ("winmgmts:\\" & strComputer & "\root\rsop\computer")

Set colItems = objWMIService.ExecQuery("Select * from RSOP_AuditPolicy")

For Each objItem in colItems  
    Wscript.Echo "Category: " & objItem.Category
    Wscript.Echo "Precedence: " & objItem.Precedence
    Wscript.Echo "Failure: " & objItem.Failure
    Wscript.Echo "Success: " & objItem.Success
    Wscript.Echo
Next

Set objWMIService = GetObject _
    ("winmgmts:\\" & strComputer & "\root\rsop\computer")

Set colItems = objWMIService.ExecQuery("Select * from RSOP_GPLink")

For Each objItem in colItems
    Wscript.Echo "GPO: " & objItem.GPO
    Wscript.Echo "Applied Order: " & objItem.AppliedOrder
    Wscript.Echo "Enabled: " & objItem.Enabled
    Wscript.Echo "Link Order: " & objItem.LinkOrder
    Wscript.Echo "No Overrride: " & objItem.NoOverride
    Wscript.Echo "SOM Order: " & objItem.SOMOrder
    Wscript.Echo
Next	

Set objWMIService = GetObject _
    ("winmgmts:\\" & strComputer & "\root\rsop\computer")

Set colItems = objWMIService.ExecQuery("Select * from RSOP_GPO")

For Each objItem in colItems  
    Wscript.Echo "Name: " & objItem.Name
    Wscript.Echo "GUID Name: " & objItem.GUIDName
    Wscript.Echo "ID: " & objItem.ID
    Wscript.Echo "Access Denied: " & objItem.AccessDenied
    Wscript.Echo "Enabled: " & objItem.Enabled
    Wscript.Echo "File System path: " & objItem.FileSystemPath
    Wscript.Echo "Filter Allowed: " & objItem.FilterAllowed
    Wscript.Echo "Filter ID: " & objItem.FilterId
    Wscript.Echo "Version: " & objItem.Version
    Wscript.Echo
Next

Open in new window

-rich
0
 

Author Comment

by:Roland_F
ID: 39218949
Thanks, but I have no problem getting information from "RSOP_GPO". I can also get info from six or seven other classes, but not from anything that should be giving me audit policy settings. I suspect there is a security switch somewhere that says WMI may or may not have access to this info. That's what I'm asking about.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39219619
I see, workgroup or non-domain joined PC's won't have anything listed, the following script only outputs "Security Audit Policy Settings" even if the settings are set, they are not set using a GPO.Also it appears LOCAL accounts cannot query the RSOP namespace from my limited testing, but Domain accounts can...
Const FL_FORCE_CREATE_NAMESPACE = 4
strComputer = "."
Set locator = CreateObject("WbemScripting.SWbemLocator")
Set connection = locator.ConnectServer( strComputer, "root\rsop", null, null, null, null, 0, null)
Set provider = connection.Get("RsopLoggingModeProvider")
provider.RsopCreateSession FL_FORCE_CREATE_NAMESPACE, Null, namespaceLocation, hResult, eInfo
Set rsopProv = locator.ConnectServer _
    (strComputer, namespaceLocation & "\Computer", null, null, Null, Null, 0 , Null)
WScript.Echo "Security Audit Policy Settings"
Set colItems = rsopProv.ExecQuery("Select * from RSOP_AuditPolicy")
For Each objItem in colItems
    WScript.Echo String(50, "=")
    Wscript.Echo "Category: " & objItem.Category
    Wscript.Echo "Precedence: " & objItem.Precedence
    Wscript.Echo "Failure: " & objItem.Failure
    Wscript.Echo "Success: " & objItem.Success
Next
provider.RsopDeleteSession namespaceLocation, hResult

Open in new window

The code works on XP, vista, 2k3, 2k8 and win7 (as a domain user with local admin)
output is as collows:


Security Audit Policy Settings
==================================================
Category: AuditPolicyChange
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditProcessTracking
Precedence: 2
Failure: False
Success: False
==================================================
Category: AuditSystemEvents
Precedence: 2
Failure: False
Success: True
==================================================
Category: AuditPrivilegeUse
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditLogonEvents
Precedence: 2
Failure: True
Success: True
==================================================
Category: AuditDSAccess
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditAccountLogon
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditObjectAccess
Precedence: 2
Failure: True
Success: False
==================================================
Category: AuditObjectAccess
Precedence: 1
Failure: True
Success: False
==================================================
Category: AuditDSAccess
Precedence: 2
Failure: True
Success: True
==================================================
Category: AuditAccountManage
Precedence: 2
Failure: True
Success: True
==================================================
Category: AuditAccountManage
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditAccountLogon
Precedence: 2
Failure: True
Success: True
==================================================
Category: AuditLogonEvents
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditProcessTracking
Precedence: 1
Failure: True
Success: True
==================================================
Category: AuditPrivilegeUse
Precedence: 2
Failure: True
Success: False
==================================================
Category: AuditPolicyChange
Precedence: 2
Failure: True
Success: True
==================================================
Category: AuditSystemEvents
Precedence: 1
Failure: False
Success: True

Open in new window

-rich
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Roland_F
ID: 39222508
This is important because I am dealing with numerous server networks, most of which do not have Domain definitions. So:
(1) I can set audit policy on each machine.
(2) I can query the settings using Auditpol.
(3) The settings, however, do not exist in the RSOP name space
      or if they  do, there is no way that WMI can see them.
Is this correct? Because, if it is, I will have to abandon this approach and
try another.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 39222529
If it's not set using GPO's, then this approach will not work from my testing. Using Secpol.msc or Auditpol.exe will not populate the WMI query even when the namespace is valid. Parsing the output of "auditpol.exe /get /category:*" might be the better way.
-rich
0
 

Author Closing Comment

by:Roland_F
ID: 39232069
Not what I was hoping for, but at least you have managed to convince me that WMI is not the way to access audit policy information.
0

Featured Post

Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A small collection of useful tips and tricks for Windows 10 users that I decided to write as a result of recent questions that were asked and answered at Experts Exchange. Two short video tutorials included. Enjoy..
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question