Updated: April 17, 2012
Applies To: Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows 8
Lists audit policy categories and/or subcategories, or lists users for whom a per-user audit policy is defined.
For examples of how this command can be used, see Examples.
Retrieves all users for whom the per-user audit policy has been defined. If used with the /v parameter, the security identifier (SID) of the user is also displayed.
Displays the names of categories understood by the system. If used with the /v parameter, the category globally unique identifier (GUID) is also displayed.
Displays the names of subcategories and their associated GUID.
Displays the GUID with the category or subcategory, or when used with /user, displays the SID of each user.
Displays the output as a report in comma-separated value (CSV) format.
Displays help at the command prompt.
For all list operations for the per-user policy, you must have Read permission on that object set in the security descriptor. You can also perform list operations by possessing the Manage auditing and security log (SeSecurityPrivilege) user right. However, this right allows additional access that is not necessary to perform the list operation.
To list all users who have a defined audit policy, type:
Auditpol /list /user
To list all users who have a defined audit policy and their associated SID, type:
Auditpol /list /user /v
To list all categories and subcategories in report format, type:
Auditpol /list /subcategory:* /r
To list the subcategories of the Detailed Tracking and DS Access categories, type:
Auditpol /list /subcategory:"Detailed Tracking","DS Access"