How to check audit settings on a Windows file or folder with PowerShell?

Question

I have been trying to get the audit settings from files and folders in Windows.

I need to validate for several different folders and files on Windows that the "Everyone" group has "Failure" flag checked for certain types of access attempts. I want to be able to show this using PowerShell instead of logging into each endpoint and opening each folders' properties -> advanced -> Auditing tab and taking screenshots for evidence if that's possible.

PowerShell Script

# Input file containing a list of folders
$folderListFile = ".\folder_list.txt"

# Read the folder list file into an array
$folderList = Get-Content $folderListFile
    
# Loop through each folder in the list
foreach ($folderPath in $folderList) {
  # Get the audit flags for the folder
  $auditFlags = (Get-Acl $folderPath).Audit

  # Write the audit flags to the console
  Write-Output "Folder Path: $folderPath"
  Write-Output "Audit Flags: $($auditFlags.AuditToString())"
  Write-Output ""
}

Contents of ".\folder_list.txt"

C:\
C:\Windows
C:\Windows\System32

Output:

PS P:\Scripts> .\Get-FolderAuditSettings.ps1
Folder Path: C:\
You cannot call a method on a null-valued expression.
At P:\Scripts\Get-FolderAuditSettings.ps1:14 char:32
+   Write-Output "Audit Flags: $($auditFlags.AuditToString())"
+                                ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

Audit Flags:

Folder Path: C:\Windows
You cannot call a method on a null-valued expression.
At P:\Scripts\Get-FolderAuditSettings.ps1:14 char:32
+   Write-Output "Audit Flags: $($auditFlags.AuditToString())"
+                                ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

Audit Flags:

Folder Path: C:\Windows\System32
You cannot call a method on a null-valued expression.
At P:\Scripts\Get-FolderAuditSettings.ps1:14 char:32
+   Write-Output "Audit Flags: $($auditFlags.AuditToString())"
+                                ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

Answer 1

I figured it out!

1. I had to add the -Audit flag to the Get-ACL module
2. Now it returns an object of type: System.Security.AccessControl.FileSystemAuditRule
3. I then reference the properties listed for this object.

Reference: dotnet-api-system.security.accesscontrol

# Input file containing a list of folders
$folderListFile = ".\folder_list.txt"

# Read the folder list file into an array
$folderList = Get-Content $folderListFile

# Loop through each folder in the list
foreach ($folderPath in $folderList) {
  # Get the audit flags for the folder
  $auditFlags = (Get-Acl $folderPath -Audit).Audit

  # Write the audit flags to the console
  Write-Output "Folder Path: $folderPath"
  Write-Output "Audit Identity: $($auditFlags.IdentityReference)"
  Write-Output "Audit Rights: $($auditFlags.FileSystemRights)"
  Write-Output "Audit Flags: $($auditFlags.AuditFlags)"
  Write-Output ""
}