private static void DisplayAuditEventOption(uint EventTypeIndex, POLICY_AUDIT_EVENT_OPTIONS EventOption) { Console.Write("AuditCategory"); switch ((POLICY_AUDIT_EVENT_TYPE)EventTypeIndex) { case POLICY_AUDIT_EVENT_TYPE.AuditCategorySystem: Console.Write("System"); break; case POLICY_AUDIT_EVENT_TYPE.AuditCategoryLogon: Console.Write("Logon"); break; case POLICY_AUDIT_EVENT_TYPE.AuditCategoryObjectAccess: Console.Write("ObjectAccess"); break; case POLICY_AUDIT_EVENT_TYPE.AuditCategoryPrivilegeUse: Console.Write("PrivilegeUse"); break; case POLICY_AUDIT_EVENT_TYPE.AuditCategoryDetailedTracking: Console.Write("DetailedTracking"); break; case POLICY_AUDIT_EVENT_TYPE.AuditCategoryPolicyChange: Console.Write("PolicyChange"); break; case POLICY_AUDIT_EVENT_TYPE.AuditCategoryAccountManagement: Console.Write("AccountManagement"); break; default: Console.Write("Unknown"); break; } if (EventOption.IsFlagSet(POLICY_AUDIT_EVENT_OPTIONS.POLICY_AUDIT_EVENT_SUCCESS)) { Console.Write(" AUDIT_EVENT_SUCCESS"); } if (EventOption.IsFlagSet(POLICY_AUDIT_EVENT_OPTIONS.POLICY_AUDIT_EVENT_FAILURE)) { Console.Write(" AUDIT_EVENT_FAILURE"); } Console.Write("\n"); }
private static void SetAuditEvent(LSA_HANDLE PolicyHandle, POLICY_AUDIT_EVENT_TYPE EventType, POLICY_AUDIT_EVENT_OPTIONS EventOption) { // obtain AuditEvents var pae = LsaQueryInformationPolicy <POLICY_AUDIT_EVENTS_INFO>(PolicyHandle); // ensure we were passed a valid EventType and EventOption if ((uint)EventType > pae.MaximumAuditEventCount || !EventOption.IsValid()) { throw ((NTStatus)NTStatus.STATUS_INVALID_PARAMETER).GetException(); } // set all auditevents to the unchanged status... for (var i = 0U; i < pae.MaximumAuditEventCount; i++) { pae.EventAuditingOptions[i] = POLICY_AUDIT_EVENT_OPTIONS.POLICY_AUDIT_EVENT_UNCHANGED; } // ...and update only the specified EventType pae.EventAuditingOptions[(int)EventType] = EventOption; // set the new AuditEvents LsaSetInformationPolicy(PolicyHandle, pae); }