I'm trying to set ACL advanced permissions for Auditing (SetValue, CreateSubKey, Delete, ChangePermissions,TakeOwnership)
PS C:\> Get-Acl HKLM:\SOFTWARE -Audit | fl
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE
Owner : BUILTIN\Administrators
Group : NT AUTHORITY\SYSTEM
Access : CREATOR OWNER Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow ReadKey
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadKey
Audit : Everyone Success SetValue, CreateSubKey, Delete, ChangePermissions, TakeOwnership
I can do so manually but getting error running this script:
$AuditUser = "Everyone"
$AuditRules = "ReadData, TakeOwnership"
$InheritType = "None"
$PropagationFlags = "None"
$AuditType = "Success"
$FileReadSuccessAudit = New-Object System.Security.AccessControl.FileSystemAuditRule($AuditUser,
$AuditRules,$InheritType,$PropagationFlags,$AuditType)
$FilePath = "HKLM:\SOFTWARE"
$Acl = Get-Acl $FilePath -Audit
$Acl.SetAuditRule($FileReadSuccessAudit)
Cannot convert argument "rule", with value: "System.Security.AccessControl.FileSystemAuditRule", for "SetAuditRule" to
type "System.Security.AccessControl.RegistryAuditRule": "Cannot convert the
"System.Security.AccessControl.FileSystemAuditRule" value of type "System.Security.AccessControl.FileSystemAuditRule"
to type "System.Security.AccessControl.RegistryAuditRule"."
At line:1 char:1
+ $Acl.SetAuditRule($FileReadSuccessAudit)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodException
+ FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument