Allow non Admins Read access to EventLog
If you wish to give a user or AD group permission to read eventvwr logs on a server the following details the process and also a script that can make the task alot less painful.
I would advise use of the script in the first instance.
Manual Method
Indentify the Pre Windows 2000 group name SID (using SID vice versa tool)
Using regedit on the server naviagate to the following registry key
HKLM\System\CurrentControlSet\Services\Eventlog\Application
Edit the CustomSD registry key and append
(A::0x1;;;XXXXXXXXXXXX) where XXXXXXXXXX is the obtained SID
Scripted Method
' *******************************************************
' *
' * Script : AddEventLogSecurity.vbs
' *
' * Purpose : Set read permissions for event log on remote server.
' *
' *
' *******************************************************
Const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
strUser = Inputbox("Enter user name:")
strDomain = "UK"
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
On Error Resume Next
Set objAccount = objWMIService.Get("Win32_UserAccount.Name='" & strUser &"',Domain='"& strDomain &"'")
If Err.Number <> 0 Then
MsgBox("ERROR: Invalid username.")
WScript.Quit
End If
MsgBox("Found user " & strUser & " SID (" & objAccount.SID & ")")
strServer = Inputbox("Enter server name:")
strEventLog = Inputbox("Enter event log name: eg. Application")
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strServer & "\root\default:StdRegProv")
On Error Resume Next
' Get String Current Value
strKeyPath = "SYSTEM\CurrentControlSet\Services\Eventlog\" & strEventLog
strValueName = "CustomSD"
oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
strValue = strValue & "(A;;0x1;;;" & LTrim(RTrim(objAccount.SID)) & ")"
oReg.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, strValue
If Err.Number <> 0 Then
MsgBox("ERROR: Invalid application log name or insuffiencent rights to complete operation.")
WScript.Quit
Else
MsgBox("Completed sucessfully.")
WScript.Quit
End If
Microsoft Article
The following Microsoft article details the process in depth 323076
I would advise use of the script in the first instance.
Manual Method
Indentify the Pre Windows 2000 group name SID (using SID vice versa tool)
Using regedit on the server naviagate to the following registry key
HKLM\System\CurrentControlSet\Services\Eventlog\Application
Edit the CustomSD registry key and append
(A::0x1;;;XXXXXXXXXXXX) where XXXXXXXXXX is the obtained SID
Scripted Method
' *******************************************************
' *
' * Script : AddEventLogSecurity.vbs
' *
' * Purpose : Set read permissions for event log on remote server.
' *
' *
' *******************************************************
Const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
strUser = Inputbox("Enter user name:")
strDomain = "UK"
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
On Error Resume Next
Set objAccount = objWMIService.Get("Win32_UserAccount.Name='" & strUser &"',Domain='"& strDomain &"'")
If Err.Number <> 0 Then
MsgBox("ERROR: Invalid username.")
WScript.Quit
End If
MsgBox("Found user " & strUser & " SID (" & objAccount.SID & ")")
strServer = Inputbox("Enter server name:")
strEventLog = Inputbox("Enter event log name: eg. Application")
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strServer & "\root\default:StdRegProv")
On Error Resume Next
' Get String Current Value
strKeyPath = "SYSTEM\CurrentControlSet\Services\Eventlog\" & strEventLog
strValueName = "CustomSD"
oReg.GetStringValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,strValue
strValue = strValue & "(A;;0x1;;;" & LTrim(RTrim(objAccount.SID)) & ")"
oReg.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, strValue
If Err.Number <> 0 Then
MsgBox("ERROR: Invalid application log name or insuffiencent rights to complete operation.")
WScript.Quit
Else
MsgBox("Completed sucessfully.")
WScript.Quit
End If
Microsoft Article
The following Microsoft article details the process in depth 323076
posted by Tomo at
Monday, November 02, 2009
0 Comments:
Post a Comment
<< Home