Have you accidentally (or purposefully) deleted the inheritance of your auditing entries on an NTFS folder and want them back? Have you been playing with SetAuditRuleProtection and scratching your head as to why it doesn’t appear to work? Well, I was too, and then I stumbled upon this Stack Overflow article.
Turns out we only had an Audit SACL at the root that we wanted to have inherited everywhere. That means the ones that weren’t inheriting properly didn’t have any Audit SACL on them, and therefore SetAuditRuleProtection didn’t do anything.
As per the article we did the following (aka, add a temp rule while setting SetAuditRuleProtection, and then removing the temp rule). Make sure you are running Get-Acl with the -Audit parameter. This is how we ended up blowing away all the inheritance – when you don’t specify -Audit Audit SACL info isn’t grabbed, so it appears empty in the object and when applied…overwrites it to NULL!
$acl = Get-Acl -Path $Path -Audit
$auditRule = New-Object System.Security.AccessControl.FileSystemAuditRule(
$Account,
$Rights,
$AuditFlags
)
$acl.SetAuditRule($auditRule)
$acl.SetAuditRuleProtection($false, $false) # Resets inheritance from parent
Set-Acl -Path $Path -AclObject $acl
Write-Host "Added temp audit rule to: $Path"
$acl = Get-Acl -Path $Path -Audit
$acl.RemoveAuditRule($auditRule)
Set-Acl -Path $Path -AclObject $acl
Write-Host "Removed audit rule from: $Path"
Leave a Reply