(2014-09-11) PowerShell And SACLs In AD: Removing All Auditing Entries On Some Object

PowerShell Code to remove all auditing entries from one or multiple OUs for some security principal.

Example security principal: ADCORP\MyDelegationAdminGroup

–

# Clear The Screen
Clear-Host

# Get Script Location
$scriptFolder = (Get-Location).Path

# Get File With OUs To Process
$fileWithListOfOUsToProcess = "List-Of-OUs-To-Process-For-Delegations.txt"

# Import The Required Module
Import-Module ActiveDirectory

#Get The RootDSE Info
$rootDSE = Get-ADRootDSE

# Get List Of OUs To Process
$listOfOUsToProcess = Get-Content $($scriptFolder + "\" + $fileWithListOfOUsToProcess)

# Security Principal To Audit For Actions
$securityPrincipalAccount = "ADCORP\MyDelegatedAdminGroup"

# Process Each OU
$listOfOUsToProcess | %{
    $ou = $_
    $ouDrivePath = $("AD:\" + $ou)
    Write-Host ""
    Write-Host "Processing OU: $ou" -Foregroundcolor Cyan
    Write-Host "   REMOVING Audit Entries..."
    Write-Host "      Security Principal...: $securityPrincipalAccount"
    Write-Host ""
    $aclOU = Get-Acl $ouDrivePath -Audit
    $aclOU.Audit | ?{$_.IdentityReference -eq $securityPrincipalAccount} | %{
        $auditRule = $_
        $aclOU.RemoveAuditRule($auditRule)
    }
    $aclOU | Set-Acl $ouDrivePath
}

–

Figure 1: SACL Before Removal

–

If the removal action outputs "True", it means it found the auditing entry and it was removed. If the removal action outputs "False", it means it did not find the auditing entry and nothing was removed. 

Figure 2: Configuring The SACL Through PowerShell

–

Figure 3: SACL After Removal

–

The PowerShell code for this script is included in a ZIP file. The ZIP file can be download from here.

The ZIP file contains all the scripts for the following blogs posts:

• (2014-08-16) PowerShell And DACLs In AD: Adding ACE For Create/Delete Some Object
• (2014-08-18) PowerShell And DACLs In AD: Adding ACE For Read/Write Property On Some Object
• (2014-08-20) PowerShell And DACLs In AD: Adding ACE For Some Extended Right On Some Object
• (2014-08-22) PowerShell And DACLs In AD: Removing ACE For Delete Some Object
• (2014-08-24) PowerShell And DACLs In AD: Removing ACE For Write Property On Some Object
• (2014-08-26) PowerShell And DACLs In AD: Removing ACE For Some Extended Right On Some Object
• (2014-08-28) PowerShell And DACLs In AD: Removing All ACEs On Some Object
• (2014-08-30) PowerShell And SACLs In AD: Adding Auditing Entry For Create/Delete Some Object
• (2014-09-01) PowerShell And SACLs In AD: Adding Auditing Entry For Read/Write Property On Some Object
• (2014-09-03) PowerShell And SACLs In AD: Adding Auditing Entry For Some Extended Right On Some Object
• (2014-09-05) PowerShell And SACLs In AD: Removing Auditing Entry For Create Some Object
• (2014-09-07) PowerShell And SACLs In AD: Removing Auditing Entry For Read Property On Some Object
• (2014-09-09) PowerShell And SACLs In AD: Removing Auditing Entry For Some Extended Right On Some Object
• (2014-09-11) PowerShell And SACLs In AD: Removing All Auditing Entries On Some Object
• (2014-09-13) PowerShell And DACLs In AD: Checking For Correct Canonical Order Of DACL
• (2014-09-15) PowerShell And SACLs In AD: Checking For Correct Canonical Order Of SACL

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————