@echo off REM CustomSetAuditPolicy.cmd REM by Aaron Czechowski, Microsoft Consulting Services REM v2, 29 February 2008 echo. echo ***** Category: "Account Management" echo. echo Changing "Application Group Management"... auditpol /set /subcategory:"Application Group Management" /success:disable /failure:disable echo. echo Changing "Computer Account Management"... auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable echo. echo Changing "Distribution Group Management"... auditpol /set /subcategory:"Distribution Group Management" /success:disable /failure:disable echo. echo Changing "Other Account Management Events"... auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable echo. echo Changing "Security Group Management"... auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable echo. echo Changing "User Account Management"... auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable echo. echo. echo ***** Category: "Detailed Tracking" echo. echo Changing "DPAPI Activity"... auditpol /set /subcategory:"DPAPI Activity" /success:disable /failure:disable echo. echo Changing "Process Creation"... auditpol /set /subcategory:"Process Creation" /success:enable /failure:disable echo. echo Changing "Process Termination"... auditpol /set /subcategory:"Process Termination" /success:disable /failure:disable echo. echo Changing "RPC Events"... auditpol /set /subcategory:"RPC Events" /success:disable /failure:disable echo. echo. echo ***** Category: "DS Access" echo. echo Changing "Detailed Directory Service Replication"... auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable echo. echo Changing "Directory Service Access"... auditpol /set /subcategory:"Directory Service Access" /success:disable /failure:disable echo. echo Changing "Directory Service Changes"... auditpol /set /subcategory:"Directory Service Changes" /success:disable /failure:disable echo. echo Changing "Directory Service Replication"... auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:disable echo. echo. echo ***** Category: "Logon/Logoff" echo. echo Changing "Account Lockout"... auditpol /set /subcategory:"Account Lockout" /success:disable /failure:disable echo. echo Changing "IPsec Extended Mode"... auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable echo. echo Changing "IPsec Main Mode"... auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable echo. echo Changing "IPsec Quick Mode"... auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable echo. echo Changing "Logoff"... auditpol /set /subcategory:"Logoff" /success:enable /failure:disable echo. echo Changing "Logon"... auditpol /set /subcategory:"Logon" /success:enable /failure:enable echo. echo Changing "Network Policy Server"... auditpol /set /subcategory:"Network Policy Server" /success:disable /failure:disable echo. echo Changing "Other Logon/Logoff Events"... auditpol /set /subcategory:"Other Logon/Logoff Events" /success:disable /failure:disable echo. echo Changing "Special Logon"... auditpol /set /subcategory:"Special Logon" /success:enable /failure:disable echo. echo. echo ***** Category: "Object Access" echo. echo Changing "Application Generated"... auditpol /set /subcategory:"Application Generated" /success:disable /failure:disable echo. echo Changing "Certification Services"... auditpol /set /subcategory:"Certification Services" /success:disable /failure:disable echo. echo Changing "File Share"... auditpol /set /subcategory:"File Share" /success:disable /failure:disable echo. echo Changing "File System"... auditpol /set /subcategory:"File System" /success:disable /failure:enable echo. echo Changing "Filtering Platform Connection"... auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable echo. echo Changing "Filtering Platform Packet Drop"... auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable echo. echo Changing "Handle Manipulation"... auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable echo. echo Changing "Kernel Object"... auditpol /set /subcategory:"Kernel Object" /success:disable /failure:disable echo. echo Changing "Other Object Access Events"... auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable echo. echo Changing "Registry"... auditpol /set /subcategory:"Registry" /success:disable /failure:enable echo. echo Changing "SAM"... auditpol /set /subcategory:"SAM" /success:disable /failure:disable echo. echo. echo ***** Category: "Policy Change" echo. echo Changing "Audit Policy Change"... auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable echo. echo Changing "Authentication Policy Change"... auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:disable echo. echo Changing "Authorization Policy Change"... auditpol /set /subcategory:"Authorization Policy Change" /success:disable /failure:disable echo. echo Changing "Filtering Platform Policy Change"... auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable echo. echo Changing "MPSSVC Rule-Level Policy Change"... auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable echo. echo Changing "Other Policy Change Events"... auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:disable echo. echo. echo ***** Category: "Privilege Use" echo. echo Changing "Non Sensitive Privilege Use"... auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable echo. echo Changing "Other Privilege Use Events"... auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable echo. echo Changing "Sensitive Privilege Use"... auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable echo. echo. echo ***** Category: "System" echo. echo Changing "IPsec Driver"... auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable echo. echo Changing "Other System Events"... auditpol /set /subcategory:"Other System Events" /success:disable /failure:disable echo. echo Changing "Security State Change"... auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable echo. echo Changing "Security System Extension"... auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable echo. echo Changing "System Integrity"... auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable echo. echo. echo ***** Category: "Account Logon" echo. echo Changing "Kerberos Service Ticket Operations"... auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:disable /failure:disable echo. echo Changing "Other Account Logon Events"... auditpol /set /subcategory:"Other Account Logon Events" /success:disable /failure:disable echo. echo Changing "Kerberos Authentication Service"... auditpol /set /subcategory:"Kerberos Authentication Service" /success:disable /failure:disable echo. echo Changing "Credential Validation"... auditpol /set /subcategory:"Credential Validation" /success:disable /failure:disable echo. echo. echo Confirm settings: auditpol /get /category:* echo.