private static void DisplayAuditEventOption(uint EventTypeIndex, POLICY_AUDIT_EVENT_OPTIONS EventOption)
{
Console.Write("AuditCategory");
switch ((POLICY_AUDIT_EVENT_TYPE)EventTypeIndex)
{
case POLICY_AUDIT_EVENT_TYPE.AuditCategorySystem:
Console.Write("System");
break;
case POLICY_AUDIT_EVENT_TYPE.AuditCategoryLogon:
Console.Write("Logon");
break;
case POLICY_AUDIT_EVENT_TYPE.AuditCategoryObjectAccess:
Console.Write("ObjectAccess");
break;
case POLICY_AUDIT_EVENT_TYPE.AuditCategoryPrivilegeUse:
Console.Write("PrivilegeUse");
break;
case POLICY_AUDIT_EVENT_TYPE.AuditCategoryDetailedTracking:
Console.Write("DetailedTracking");
break;
case POLICY_AUDIT_EVENT_TYPE.AuditCategoryPolicyChange:
Console.Write("PolicyChange");
break;
case POLICY_AUDIT_EVENT_TYPE.AuditCategoryAccountManagement:
Console.Write("AccountManagement");
break;
default:
Console.Write("Unknown");
break;
}
if (EventOption.IsFlagSet(POLICY_AUDIT_EVENT_OPTIONS.POLICY_AUDIT_EVENT_SUCCESS))
{
Console.Write(" AUDIT_EVENT_SUCCESS");
}
if (EventOption.IsFlagSet(POLICY_AUDIT_EVENT_OPTIONS.POLICY_AUDIT_EVENT_FAILURE))
{
Console.Write(" AUDIT_EVENT_FAILURE");
}
Console.Write("\n");
}
private static void SetAuditEvent(LSA_HANDLE PolicyHandle, POLICY_AUDIT_EVENT_TYPE EventType, POLICY_AUDIT_EVENT_OPTIONS EventOption)
{
// obtain AuditEvents
var pae = LsaQueryInformationPolicy <POLICY_AUDIT_EVENTS_INFO>(PolicyHandle);
// ensure we were passed a valid EventType and EventOption
if ((uint)EventType > pae.MaximumAuditEventCount || !EventOption.IsValid())
{
throw ((NTStatus)NTStatus.STATUS_INVALID_PARAMETER).GetException();
}
// set all auditevents to the unchanged status...
for (var i = 0U; i < pae.MaximumAuditEventCount; i++)
{
pae.EventAuditingOptions[i] = POLICY_AUDIT_EVENT_OPTIONS.POLICY_AUDIT_EVENT_UNCHANGED;
}
// ...and update only the specified EventType
pae.EventAuditingOptions[(int)EventType] = EventOption;
// set the new AuditEvents
LsaSetInformationPolicy(PolicyHandle, pae);
}
