Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-50827: Using the Windows Registry to Configure Selective Auditing

Auditing and Monitoring Service ,  

31 March,21 at 01:52 PM

Question: It is known that selective auditing for the Windows agent can be done using Group Policy, but is there a way to configure selective auditing per machine, using the registry?

Answer: Yes, Selective Auditing is possible using registry settings. Please see below steps:

1) First, the SID of the user must be determined.  Two common ways this can be found:

a) Locate the user object in ADUC and choose the Attribute Editor tab. Then look for the "objectSid" value.

b) Using the following Powershell commands:

C:\> Get-LocalUser -Name <local windows username> | select SID

C:\> Get-ADUser -Identity <AD username> | select SID

2) Create the registry keys. It is possible to create a key for blacklisting or whitelisting. Multiple SIDs can be entered, separated by a comma.

To specify blacklist: (users listed here will not get audited)

Location - HKEY_LOCAL_MACHINE\SOFTWARE\Centrify\DirectAudit\Agent

Name - NoAuditList

Type - REG_SZ

Sample value - S-1-5-21-1034848547-2613457824-1406862865-1006,S-1-5-21-1034848547-2613457824-1406862865-1004

To specify whitelist: (only the users listed here will get audited)

Location - HKEY_LOCAL_MACHINE\SOFTWARE\Centrify\DirectAudit\Agent

Name - AuditList

Type - REG_SZ

Sample value - S-1-5-21-1034848547-2613457824-1406862865-1006,S-1-5-21-1034848547-2613457824-1406862865-1004

Additionally, group SIDs can also be entered so that the settings will apply to everyone in the group.