Powershell – Update NTFS Audit Levels

Here are the required steps for updating audit rules on Windows NTFS shares with PowerShell.

 # PowerShell Script used for updating and removing NTFS Audit Rules
 # The $path variable represents the UNC path to the share that the script is being executed against.
 #
 # Comment or Un-Comment the Remove or Set rules to update a shares permissions.
get-date
 $path \\\
# Get the current ACL details
 $CurrentACL = get-acl $path
if (!($CurrentACL -eq $null)) {
# Success & Failure
 $AccessRule = new-object System.Security.AccessControl.FileSystemAuditRule("Everyone","ChangePermissions,DeleteSubdirectoriesAndFiles,Delete,TakeOwnership","ContainerInherit","None","Success,Failure")
# Remove Audit Rule
 #$CurrentACL.RemoveAuditRule($AccessRule)
# Set New Audit Rule
 #$CurrentACL.AddAuditRule($AccessRule)
# Apply New Permissions
 set-acl $path -AclObject $CurrentACL
 } else {
 Write-Host "ACL's unsuccessfully pulled from path $path"
 }
get-date
Advertisements