How to Enable or Disable Audit Logging for Object Access in Batch Script

Audit logging for "Object Access" is a critical security feature that allows you to track exactly who is opening, modifying, or deleting sensitive files and folders on your system. While configuring this via the "Local Security Policy" GUI is possible, system administrators often need to automate this process for forensic investigations or compliance enforcement. Using the auditpol command-line utility, you can surgically enable or disable these logs without needing to restart the computer. This guide explains how to manage object access auditing via Batch script.

Why Enable Object Access Auditing?

Forensic Investigation: Identifying which user account deleted a critical file or modified a configuration folder.
Compliance Enforcement: Meeting regulatory requirements (like HIPAA or PCI-DSS) that mandate tracking access to sensitive data.
Security Monitoring: Detecting "Brute Force" attempts to access restricted directories or unauthorized file copying.

Two-Step Process

Enabling the auditing "Policy" is only the first step. You must also right-click the specific folder or file in Windows Explorer, go to Properties > Security > Advanced > Auditing, and add the users you want to track. The script handles the "Global Switch."

Method 1: Enabling Audit Logging for File System Access

To track file and folder activity, you target the "File System" subcategory within the "Object Access" category.

@echo off
setlocal

:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] Administrator privileges are required.
    pause
    exit /b 1
)

echo [PROCESS] Enabling Audit Logging for File System access...

:: /set = Apply setting
:: /subcategory = The specific area to monitor
:: /success:enable = Log successful accesses
:: /failure:enable = Log denied attempts

auditpol /set /subcategory:"File System" /success:enable /failure:enable

if %errorlevel% equ 0 (
    echo [SUCCESS] File System auditing is now ACTIVE.
    echo [NOTE] Remember to configure auditing entries on specific folders
    echo        via Properties ^> Security ^> Advanced ^> Auditing.
) else (
    echo [ERROR] Failed to set policy. Code: %errorlevel%
)
pause

Method 2: Disabling Audit Logging

If you are performing heavy maintenance and want to avoid flooding the Event Log, you can temporarily disable the auditing.

@echo off
setlocal

:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] Administrator privileges are required.
    pause
    exit /b 1
)

echo [PROCESS] Disabling File System Audit...

auditpol /set /subcategory:"File System" /success:disable /failure:disable

if %errorlevel% equ 0 (
    echo [SUCCESS] File System auditing has been suspended.
    echo [REMINDER] Re-enable auditing when maintenance is complete.
) else (
    echo [ERROR] Failed to disable auditing. Code: %errorlevel%
)
pause

Creating a Security Inspection and Health Tool

A professional script checks the current status of the audit policy before making any changes, preventing unnecessary overwrites.

@echo off
setlocal EnableDelayedExpansion

echo ============================================================
echo   Security Audit Infrastructure Manager
echo ============================================================

:: 1. Verify Admin Rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [CRITICAL] Admin rights REQUIRED for auditpol.
    pause
    exit /b 1
)

:: 2. Check current status
echo.
echo [STATUS] Current File System Audit Policy:
echo   -----------------------------------------
auditpol /get /subcategory:"File System" 2>nul | findstr /i /c:"File System"
echo   -----------------------------------------

:: 3. Prompt for action
echo.
echo   [E] Enable auditing (Success + Failure^)
echo   [D] Disable auditing
echo   [Q] Quit without changes
echo.
set /p "ACTION=Select an option (E/D/Q): "

if /i "!ACTION!"=="E" (
    echo.
    echo [PROCESS] Enabling File System auditing...
    auditpol /set /subcategory:"File System" /success:enable /failure:enable
    if !errorlevel! equ 0 (
        echo [SUCCESS] Auditing enabled.
    ) else (
        echo [ERROR] Failed to enable auditing.
    )
) else if /i "!ACTION!"=="D" (
    echo.
    echo [PROCESS] Disabling File System auditing...
    auditpol /set /subcategory:"File System" /success:disable /failure:disable
    if !errorlevel! equ 0 (
        echo [SUCCESS] Auditing disabled.
    ) else (
        echo [ERROR] Failed to disable auditing.
    )
) else if /i "!ACTION!"=="Q" (
    echo [INFO] No changes made.
) else (
    echo [ERROR] Invalid option.
)

:: 4. Show updated status
echo.
echo [STATUS] Updated File System Audit Policy:
echo   -----------------------------------------
auditpol /get /subcategory:"File System" 2>nul | findstr /i /c:"File System"
echo   -----------------------------------------

echo ============================================================
pause

Common Pitfalls and How to Avoid Them

Administrative Rights

Managing audit policies is a high-level system task. You must run your Batch script (and CMD) as an Administrator.

Category vs. Subcategory

Some users try to enable the entire "Object Access" category at once.

Wrong Way:

auditpol /set /category:"Object Access" ...
:: This can fail or be too broad, filling the event log with thousands of useless entries.

Correct Way: Always target specific subcategories (like "File System," "Registry," or "SAM") to keep your logs clear and your system performance high.

SEO and UX Tip

Advise your users to view the results in the Windows Event Viewer under Windows Logs > Security. Look for Event IDs 4663 (Object Access) and 4656 (Access Request).

Best Practices for Audit Management

Monitor Log Size: Object access auditing generates a huge volume of data. Ensure your Security Event Log is set to a large size (e.g., 512MB) and is configured to "Overwrite as needed."
Use Specific Subcategories: If you only care about registry changes, use /subcategory:"Registry" instead of "File System."
Audit the Auditor: Periodically run auditpol /backup /file:AuditPolicy.csv to save your audit settings to a CSV file to prove they were active during a specific period.

Domain Policies

Note that if the machine is part of an Active Directory Domain, Group Policies (GPOs) may force the audit settings back to their default every 90 minutes. Use the /get command in your script to see if a GPO is overriding your local changes.

Conclusion

Enabling or disabling audit logging for object access via Batch script is a fundamental requirement for building a secure and transparent Windows environment. By utilizing the auditpol utility to manage specific subcategories of tracking, you can maintain a clear audit trail of sensitive file interactions without overwhelming your system's resources. This professional approach to security management ensures that your infrastructure is compliant, monitored, and ready for forensic investigation, providing a robust layer of defense across your entire Windows ecosystem.

Why Enable Object Access Auditing?​

Method 1: Enabling Audit Logging for File System Access​

Method 2: Disabling Audit Logging​

Creating a Security Inspection and Health Tool​

Common Pitfalls and How to Avoid Them​

Administrative Rights​

Category vs. Subcategory​

Best Practices for Audit Management​

Conclusion​

Table of Contents