:: CAPTURE THE SETTINGS - BEFORE they have been modified
:: ------------------------------------------------------------------------------------------------------------------------------
Auditpol /get /category:* > AuditPol_BEFORE_%computername%.txt
::
:: To Track Account Logon Activities
:: ------------------------------------------------------------------------------------------------------------------------------
Auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
Auditpol /set /subcategory:"Kerberos Authentication Service" /success:disable /failure:disable
Auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:disable /failure:disable
Auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable
::
:: To Track Account Management
:: ------------------------------------------------------------------------------------------------------------------------------
:: Sets - the entire category - Auditpol /set /category:"Account Management" /success:enable /failure:enable
::
Auditpol /set /subcategory:"Application Group Management" /success:disable /failure:disable
Auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
Auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable
Auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
Auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable
Auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
::
:: Detailed Tracking
:: ------------------------------------------------------------------------------------------------------------------------------
Auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable
Auditpol /set /subcategory:"DPAPI Activity" /success:disable /failure:disable
Auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable
Auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
::
:: To Track Directory Service Access
:: ------------------------------------------------------------------------------------------------------------------------------
Auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable
Auditpol /set /subcategory:"Directory Service Access" /success:disable /failure:disable
Auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable
Auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:disable
::
:: To Track Logon/Logoff Activities
:: ------------------------------------------------------------------------------------------------------------------------------
Auditpol /set /subcategory:"Account Lockout" /success:enable /failure:disable
Auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable
Auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable
Auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable
Auditpol /set /subcategory:"Logoff" /success:enable /failure:disable
Auditpol /set /subcategory:"Logon" /success:enable /failure:enable
Auditpol /set /subcategory:"Network Policy Server" /success:disable /failure:disable
Auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
Auditpol /set /subcategory:"Special Logon" /success:enable /failure:disable
::
:: To Track Object Access
:: ------------------------------------------------------------------------------------------------------------------------------
Auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable
Auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable
Auditpol /set /subcategory:"Detailed File Share" /success:enable
:: Note: Will generate a lot of events if Files and Reg keys are audited so only audit locations that are not noisy
Auditpol /set /subcategory:"File Share" /success:enable /failure:enable
Auditpol /set /subcategory:"File System" /success:enable /failure:enable
Auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable
::
:: To Track Policy Changes
:: ------------------------------------------------------------------------------------------------------------------------------
Auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
Auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:disable
Auditpol /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable
::
:: Note: Enable if you use Windows Firewall to monitor changes
::
Auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable
Auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable
Auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:disable
:: To Track Privilege Use
:: ------------------------------------------------------------------------------------------------------------------------------
Auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable
Auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable
Auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable
:: To Track SYSTEM events
:: ------------------------------------------------------------------------------------------------------------------------------
Auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable
Auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable
Auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable
Auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable
Auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
:: CAPTURE THE SETTINGS - AFTER they have been modified
:: ------------------------------------------------------------------------------------------------------------------------------
Auditpol /get /category:* > AuditPol_AFTER_%computername%.txt