Auditing Success and Failure event to folder

Question

I'm using PowerShell to add users to auditing for folders in Windows 10. I'm using this code to set "EVERYONE" for Auditing. But I need to do special rules for fail and special rules for Success and Fail, so I need it to save in 2 different lines. - like this picture:

This is the code I'm using:

$Folders = "C:\windows\system32\config"

Foreach ($Folder in $Folders) {
    Write-Host "" # Empty line
    Write-Host "Applying Auditing for folder", $Folder
    Write-Host "" # Empty line

    $ACL = Get-Acl $Folder

    # Set Auditing for Success event for above Folders for EVeryone group
    $PermAudited = "CreateFiles"
    $AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule("Everyone", $PermAudited, "Failure")
    $ACL.SetAuditRule($AccessRule)

    # Set Auditing for Success event for Top folder
    Write-Host $Folder, "for auditing Success event"
    $ACL | Set-Acl $Folder
}

Answer 1

You can Specify those rules using the System.Security.AccessControl.FileSystemRights enum, Check the available rules like this:

[enum]::GetNames([System.Security.AccessControl.FileSystemRights])

Basically you need to take a look on one of the Constructors for the FileSystemAuditRule to understand how you need to set it, for your needs I think this is the right one:

FileSystemAuditRule(
string identity,
FileSystemRights fileSystemRights,
AuditFlags flags
)

So, you need to set Rights and AuditFlags, based on your example it should be something like this:

$Rights = "ReadAndExecute","Modify"
$Flags = "Failure"

$AccessRights = [System.Security.AccessControl.FileSystemRights]$Rights 
$AuditFlags = [System.Security.AccessControl.AuditFlags]$Flags 

Then Set the ACL like this:

$ACL = Get-Acl $Folder
$AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule("Everyone",$AccessRights, $AuditFlags)
$ACL.SetAuditRule($AccessRule)
Set-Acl -Path $Folder -AclObject $ACL