syskey_registry_keys_sacl_setup.ps1

# Download https://github.com/OTRF/Set-AuditRule/blob/master/Set-AuditRule.ps1

Import-Module .\Set-AuditRule.ps1

$AuditRules = @"
"HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\JD";"Authenticated Users";"QueryValues";"None";"None";"Success"
"HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Skew1";"Authenticated Users";"QueryValues";"None";"None";"Success"
"HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\GBG";"Authenticated Users";"QueryValues";"None";"None";"Success"
"HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Data";"Authenticated Users";"QueryValues";"None";"None";"Success"
"@

write-host "Enabling audit rules.."
$AuditRules | ConvertFrom-Csv -Delimiter ';' | ForEach-Object {
    if(!(Test-Path $_.regKey)){
        Write-Host $_.regKey " does not exist.."
    }
    else {
        Write-Host "Updating SACL of " $_.regKey
        Set-AuditRule -RegistryPath $_.regKey -IdentityReference $_.identityReference  -Rights $_.rights.split(",") -InheritanceFlags $_.inheritanceFlags -PropagationFlags $_.propagationFlags -AuditFlags $_.auditFlags -ErrorAction SilentlyContinue
    }
}