Show Actual User Running an Audited Command

Use this group policy to specify whether command-based auditing records will display the actual user account that executed the audited command, rather than just the run-as user account. Enable this policy to show both the run-as user account and the actual user account in command-based auditing records.

By default, this policy is not enabled, and only the run-as account used to run the privileged command is shown in auditing records. To enable this policy, set the parameter to true.

This group policy modifies the dash.cmd.audit.show.actual.user setting in the agent configuration file.