How to Grant Write Access to Windows Server 2012 R2 Application Event LogHow to make user not be part of...

Binary Numbers Magic Trick

Was there a Viking Exchange as well as a Columbian one?

What is the most expensive material in the world that could be used to create Pun-Pun's lute?

Stop and Take a Breath!

How to reduce LED flash rate (frequency)

What is the difference between `command a[bc]d` and `command `a{b,c}d`

Using a Lyapunov function to classify stability and sketching a phase portrait

Why is it that the natural deduction method can't test for invalidity?

Do I have an "anti-research" personality?

Why does nature favour the Laplacian?

Why do Computer Science majors learn Calculus?

Controversial area of mathematics

Noun clause (singular all the time?)

How do I reattach a shelf to the wall when it ripped out of the wall?

What makes accurate emulation of old systems a difficult task?

With a Canadian student visa, can I spend a night at Vancouver before continuing to Toronto?

What route did the Hindenburg take when traveling from Germany to the U.S.?

How did Captain America manage to do this?

How can the Zone of Truth spell be defeated without the caster knowing?

Meaning of Bloch representation

What happened to Captain America in Endgame?

Error message with tabularx

How to pronounce 'C++' in Spanish

Critique of timeline aesthetic



How to Grant Write Access to Windows Server 2012 R2 Application Event Log


How to make user not be part of Users group in Windows?How to specify SIDs in Security Policy?How to protect an SMB shared directory with a password on WIndows Server 2008?Newly Created Domain Admin has Less PermissionsSharing and Security permissions for domain and local users and groupsFile permissions “Administrators: Full Control”. Why isn't it always sufficient?Failed Authentication Against Windows Server 2012 R2 RADIUS Using PAPAdministrator being asked for admin password when running admin programsUse icacls to give only read+execute accessExchange inherited permissions






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







2















I'm running Windows Server 2012 R2 and under that I'm running VMWare Workstation Pro. When Workstation is installed, the user Group __vmware__ is created for VMWare Workstation users. I've added my host machine (i.e. Windows Server 2012 R2) user account (a member of Users, not a member of Administrators) to the __vmware__ Group.



On the host I'd like to create event log entries in the Application event log while running as my user account related to the state of the virtual machines running under VMWare.



From a command window on the host, I type whoami all and get the following:



USER INFORMATION
----------------

User Name SID
========= ==============================================
mtemike S-1-5-21-1052476717-3500785571-2838594007-1118


GROUP INFORMATION
-----------------

Group Name Type SID
Attributes

========================================== ================ ====================
========================== =====================================================
==========
Everyone Well-known group S-1-1-0
Mandatory group, Enabled by default, Enabled group

BUILTINUsers Alias S-1-5-32-545
Mandatory group, Enabled by default, Enabled group

BUILTINCertificate Service DCOM Access Alias S-1-5-32-574
Mandatory group, Enabled by default, Enabled group

BUILTINPre-Windows 2000 Compatible Access Alias S-1-5-32-554
Group used for deny only

NT AUTHORITYINTERACTIVE Well-known group S-1-5-4
Mandatory group, Enabled by default, Enabled group

CONSOLE LOGON Well-known group S-1-2-1
Mandatory group, Enabled by default, Enabled group

NT AUTHORITYAuthenticated Users Well-known group S-1-5-11
Mandatory group, Enabled by default, Enabled group

NT AUTHORITYThis Organization Well-known group S-1-5-15
Mandatory group, Enabled by default, Enabled group

LOCAL Well-known group S-1-2-0
Mandatory group, Enabled by default, Enabled group

Authentication authority asserted identity Well-known group S-1-18-1
Mandatory group, Enabled by default, Enabled group

MTE__vmware__ Alias S-1-5-21-1052476717-
3500785571-2838594007-1131 Mandatory group, Enabled by default, Enabled group, L
ocal Group
Mandatory LabelMedium Mandatory Level Label S-1-16-8192




PRIVILEGES INFORMATION
----------------------

Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.


Note that my user account is a member of __vmware__ and the the SID is S-1-5-21-1052476717-3500785571-2838594007-1131.



From an Administrator account, I edit the following registry key:



HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLogApplication



And modify the CustomSD entry as follows:



O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)



Here you can see that the __vmware__ Group has been granted Read and Write access to the Application event log.



Yet, when I attempt to create a log entry:



eventcreate /SO TestEventMsg /Id 1 /D "This is a test message" /T INFORMATION /L Application



I get an Access denied error.



What am I not doing correctly?



UPDATE 2016-12-03



I tried the user2304170's suggestion and this is what I got:



PS C:UsersNetadminDocuments> ./GrantEventLogAccess.ps1 -Account '__vmware__' -LogName Application
Failed to save configuration or activate log Application. Access is denied.
name: Application
enabled: true
type: Admin
owningPublisher:
isolation: Application
channelAccess: O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)
(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)
logging:
logFileName: %SystemRoot%System32WinevtLogsApplication.evtx
retention: false
autoBackup: false
maxSize: 20971520
publishing:
fileMax: 1
PS C:UsersNetadminDocuments>









share|improve this question
















bumped to the homepage by Community yesterday


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
















  • Did you run user2304170's suggestion in an admin powershell window?

    – cjb110
    Jul 20 '18 at 12:49











  • Sorry, I can't recall and I've given up using Windows Server as a VM host.

    – mbmast
    Jul 20 '18 at 18:52


















2















I'm running Windows Server 2012 R2 and under that I'm running VMWare Workstation Pro. When Workstation is installed, the user Group __vmware__ is created for VMWare Workstation users. I've added my host machine (i.e. Windows Server 2012 R2) user account (a member of Users, not a member of Administrators) to the __vmware__ Group.



On the host I'd like to create event log entries in the Application event log while running as my user account related to the state of the virtual machines running under VMWare.



From a command window on the host, I type whoami all and get the following:



USER INFORMATION
----------------

User Name SID
========= ==============================================
mtemike S-1-5-21-1052476717-3500785571-2838594007-1118


GROUP INFORMATION
-----------------

Group Name Type SID
Attributes

========================================== ================ ====================
========================== =====================================================
==========
Everyone Well-known group S-1-1-0
Mandatory group, Enabled by default, Enabled group

BUILTINUsers Alias S-1-5-32-545
Mandatory group, Enabled by default, Enabled group

BUILTINCertificate Service DCOM Access Alias S-1-5-32-574
Mandatory group, Enabled by default, Enabled group

BUILTINPre-Windows 2000 Compatible Access Alias S-1-5-32-554
Group used for deny only

NT AUTHORITYINTERACTIVE Well-known group S-1-5-4
Mandatory group, Enabled by default, Enabled group

CONSOLE LOGON Well-known group S-1-2-1
Mandatory group, Enabled by default, Enabled group

NT AUTHORITYAuthenticated Users Well-known group S-1-5-11
Mandatory group, Enabled by default, Enabled group

NT AUTHORITYThis Organization Well-known group S-1-5-15
Mandatory group, Enabled by default, Enabled group

LOCAL Well-known group S-1-2-0
Mandatory group, Enabled by default, Enabled group

Authentication authority asserted identity Well-known group S-1-18-1
Mandatory group, Enabled by default, Enabled group

MTE__vmware__ Alias S-1-5-21-1052476717-
3500785571-2838594007-1131 Mandatory group, Enabled by default, Enabled group, L
ocal Group
Mandatory LabelMedium Mandatory Level Label S-1-16-8192




PRIVILEGES INFORMATION
----------------------

Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.


Note that my user account is a member of __vmware__ and the the SID is S-1-5-21-1052476717-3500785571-2838594007-1131.



From an Administrator account, I edit the following registry key:



HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLogApplication



And modify the CustomSD entry as follows:



O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)



Here you can see that the __vmware__ Group has been granted Read and Write access to the Application event log.



Yet, when I attempt to create a log entry:



eventcreate /SO TestEventMsg /Id 1 /D "This is a test message" /T INFORMATION /L Application



I get an Access denied error.



What am I not doing correctly?



UPDATE 2016-12-03



I tried the user2304170's suggestion and this is what I got:



PS C:UsersNetadminDocuments> ./GrantEventLogAccess.ps1 -Account '__vmware__' -LogName Application
Failed to save configuration or activate log Application. Access is denied.
name: Application
enabled: true
type: Admin
owningPublisher:
isolation: Application
channelAccess: O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)
(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)
logging:
logFileName: %SystemRoot%System32WinevtLogsApplication.evtx
retention: false
autoBackup: false
maxSize: 20971520
publishing:
fileMax: 1
PS C:UsersNetadminDocuments>









share|improve this question
















bumped to the homepage by Community yesterday


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
















  • Did you run user2304170's suggestion in an admin powershell window?

    – cjb110
    Jul 20 '18 at 12:49











  • Sorry, I can't recall and I've given up using Windows Server as a VM host.

    – mbmast
    Jul 20 '18 at 18:52














2












2








2








I'm running Windows Server 2012 R2 and under that I'm running VMWare Workstation Pro. When Workstation is installed, the user Group __vmware__ is created for VMWare Workstation users. I've added my host machine (i.e. Windows Server 2012 R2) user account (a member of Users, not a member of Administrators) to the __vmware__ Group.



On the host I'd like to create event log entries in the Application event log while running as my user account related to the state of the virtual machines running under VMWare.



From a command window on the host, I type whoami all and get the following:



USER INFORMATION
----------------

User Name SID
========= ==============================================
mtemike S-1-5-21-1052476717-3500785571-2838594007-1118


GROUP INFORMATION
-----------------

Group Name Type SID
Attributes

========================================== ================ ====================
========================== =====================================================
==========
Everyone Well-known group S-1-1-0
Mandatory group, Enabled by default, Enabled group

BUILTINUsers Alias S-1-5-32-545
Mandatory group, Enabled by default, Enabled group

BUILTINCertificate Service DCOM Access Alias S-1-5-32-574
Mandatory group, Enabled by default, Enabled group

BUILTINPre-Windows 2000 Compatible Access Alias S-1-5-32-554
Group used for deny only

NT AUTHORITYINTERACTIVE Well-known group S-1-5-4
Mandatory group, Enabled by default, Enabled group

CONSOLE LOGON Well-known group S-1-2-1
Mandatory group, Enabled by default, Enabled group

NT AUTHORITYAuthenticated Users Well-known group S-1-5-11
Mandatory group, Enabled by default, Enabled group

NT AUTHORITYThis Organization Well-known group S-1-5-15
Mandatory group, Enabled by default, Enabled group

LOCAL Well-known group S-1-2-0
Mandatory group, Enabled by default, Enabled group

Authentication authority asserted identity Well-known group S-1-18-1
Mandatory group, Enabled by default, Enabled group

MTE__vmware__ Alias S-1-5-21-1052476717-
3500785571-2838594007-1131 Mandatory group, Enabled by default, Enabled group, L
ocal Group
Mandatory LabelMedium Mandatory Level Label S-1-16-8192




PRIVILEGES INFORMATION
----------------------

Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.


Note that my user account is a member of __vmware__ and the the SID is S-1-5-21-1052476717-3500785571-2838594007-1131.



From an Administrator account, I edit the following registry key:



HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLogApplication



And modify the CustomSD entry as follows:



O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)



Here you can see that the __vmware__ Group has been granted Read and Write access to the Application event log.



Yet, when I attempt to create a log entry:



eventcreate /SO TestEventMsg /Id 1 /D "This is a test message" /T INFORMATION /L Application



I get an Access denied error.



What am I not doing correctly?



UPDATE 2016-12-03



I tried the user2304170's suggestion and this is what I got:



PS C:UsersNetadminDocuments> ./GrantEventLogAccess.ps1 -Account '__vmware__' -LogName Application
Failed to save configuration or activate log Application. Access is denied.
name: Application
enabled: true
type: Admin
owningPublisher:
isolation: Application
channelAccess: O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)
(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)
logging:
logFileName: %SystemRoot%System32WinevtLogsApplication.evtx
retention: false
autoBackup: false
maxSize: 20971520
publishing:
fileMax: 1
PS C:UsersNetadminDocuments>









share|improve this question
















I'm running Windows Server 2012 R2 and under that I'm running VMWare Workstation Pro. When Workstation is installed, the user Group __vmware__ is created for VMWare Workstation users. I've added my host machine (i.e. Windows Server 2012 R2) user account (a member of Users, not a member of Administrators) to the __vmware__ Group.



On the host I'd like to create event log entries in the Application event log while running as my user account related to the state of the virtual machines running under VMWare.



From a command window on the host, I type whoami all and get the following:



USER INFORMATION
----------------

User Name SID
========= ==============================================
mtemike S-1-5-21-1052476717-3500785571-2838594007-1118


GROUP INFORMATION
-----------------

Group Name Type SID
Attributes

========================================== ================ ====================
========================== =====================================================
==========
Everyone Well-known group S-1-1-0
Mandatory group, Enabled by default, Enabled group

BUILTINUsers Alias S-1-5-32-545
Mandatory group, Enabled by default, Enabled group

BUILTINCertificate Service DCOM Access Alias S-1-5-32-574
Mandatory group, Enabled by default, Enabled group

BUILTINPre-Windows 2000 Compatible Access Alias S-1-5-32-554
Group used for deny only

NT AUTHORITYINTERACTIVE Well-known group S-1-5-4
Mandatory group, Enabled by default, Enabled group

CONSOLE LOGON Well-known group S-1-2-1
Mandatory group, Enabled by default, Enabled group

NT AUTHORITYAuthenticated Users Well-known group S-1-5-11
Mandatory group, Enabled by default, Enabled group

NT AUTHORITYThis Organization Well-known group S-1-5-15
Mandatory group, Enabled by default, Enabled group

LOCAL Well-known group S-1-2-0
Mandatory group, Enabled by default, Enabled group

Authentication authority asserted identity Well-known group S-1-18-1
Mandatory group, Enabled by default, Enabled group

MTE__vmware__ Alias S-1-5-21-1052476717-
3500785571-2838594007-1131 Mandatory group, Enabled by default, Enabled group, L
ocal Group
Mandatory LabelMedium Mandatory Level Label S-1-16-8192




PRIVILEGES INFORMATION
----------------------

Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.


Note that my user account is a member of __vmware__ and the the SID is S-1-5-21-1052476717-3500785571-2838594007-1131.



From an Administrator account, I edit the following registry key:



HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLogApplication



And modify the CustomSD entry as follows:



O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)



Here you can see that the __vmware__ Group has been granted Read and Write access to the Application event log.



Yet, when I attempt to create a log entry:



eventcreate /SO TestEventMsg /Id 1 /D "This is a test message" /T INFORMATION /L Application



I get an Access denied error.



What am I not doing correctly?



UPDATE 2016-12-03



I tried the user2304170's suggestion and this is what I got:



PS C:UsersNetadminDocuments> ./GrantEventLogAccess.ps1 -Account '__vmware__' -LogName Application
Failed to save configuration or activate log Application. Access is denied.
name: Application
enabled: true
type: Admin
owningPublisher:
isolation: Application
channelAccess: O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)
(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)
logging:
logFileName: %SystemRoot%System32WinevtLogsApplication.evtx
retention: false
autoBackup: false
maxSize: 20971520
publishing:
fileMax: 1
PS C:UsersNetadminDocuments>






permissions windows-server-2012-r2 event-log






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 3 '16 at 20:38







mbmast

















asked Mar 14 '16 at 19:44









mbmastmbmast

193211




193211





bumped to the homepage by Community yesterday


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







bumped to the homepage by Community yesterday


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.















  • Did you run user2304170's suggestion in an admin powershell window?

    – cjb110
    Jul 20 '18 at 12:49











  • Sorry, I can't recall and I've given up using Windows Server as a VM host.

    – mbmast
    Jul 20 '18 at 18:52



















  • Did you run user2304170's suggestion in an admin powershell window?

    – cjb110
    Jul 20 '18 at 12:49











  • Sorry, I can't recall and I've given up using Windows Server as a VM host.

    – mbmast
    Jul 20 '18 at 18:52

















Did you run user2304170's suggestion in an admin powershell window?

– cjb110
Jul 20 '18 at 12:49





Did you run user2304170's suggestion in an admin powershell window?

– cjb110
Jul 20 '18 at 12:49













Sorry, I can't recall and I've given up using Windows Server as a VM host.

– mbmast
Jul 20 '18 at 18:52





Sorry, I can't recall and I've given up using Windows Server as a VM host.

– mbmast
Jul 20 '18 at 18:52










2 Answers
2






active

oldest

votes


















0














Puzzling stuff together on the internet I've created this little script for it:



<# 
.SYNOPSIS
Add write permissions to the Windows Event Log for a specific AD object.

.DESCRIPTION
Add write permissions to the Windows Event Log for a specific AD object.

.PARAMETER Account
Active directory object that needs write permissions.

.PARAMETER LogName
Name of the log where we grant permissions

.EXAMPLE
./script.ps! -Account 'Domain users' -LogName Application

.NOTES
CHANGELOG
2016/09/12 Script born #>

Param (
[String]$Account = 'Bob',
[String]$LogName = 'Application'
)

Write-Verbose "Retrieving SID for account '$Account'"

$AdObj = New-Object System.Security.Principal.NTAccount($Account)
$SID = $AdObj.Translate([System.Security.Principal.SecurityIdentifier])
Write-Verbose "Found SID for account $($SID.Value)"

$w = wevtutil gl $LogName
$channelAccess = $w[5]

if ($channelAccess.Contains('channelAccess:')) {

$str = $channelAccess.Replace('channelAccess: ','')

if ($str.Contains($SID.Value) -eq $false) {
$newstr = $str +"(A;;0x3;;;"+$SID.Value+")"
Write-Verbose "Adding '$newstr'"
wevtutil sl $LogName /ca:$newstr
Write-Verbose "Update complete new value is"
wevtutil gl $LogName
}
else {
Write-Verbose "Update not needed"
}
}





share|improve this answer
























  • Thanks. I'll give this a try in a couple of weeks. Out of the country at the moment.

    – mbmast
    Sep 12 '16 at 12:49











  • See my update. I tried you suggestion.

    – mbmast
    Dec 3 '16 at 20:39



















0














I haven't tested this in full but if you go to this registry key:



HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlog


You can right-click on the Eventlog folder and give permissions to the user you want to allow access or you can choose the Event log.



enter image description here






share|improve this answer


























  • This did not work.

    – mbmast
    Dec 3 '16 at 23:01












Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1052830%2fhow-to-grant-write-access-to-windows-server-2012-r2-application-event-log%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














Puzzling stuff together on the internet I've created this little script for it:



<# 
.SYNOPSIS
Add write permissions to the Windows Event Log for a specific AD object.

.DESCRIPTION
Add write permissions to the Windows Event Log for a specific AD object.

.PARAMETER Account
Active directory object that needs write permissions.

.PARAMETER LogName
Name of the log where we grant permissions

.EXAMPLE
./script.ps! -Account 'Domain users' -LogName Application

.NOTES
CHANGELOG
2016/09/12 Script born #>

Param (
[String]$Account = 'Bob',
[String]$LogName = 'Application'
)

Write-Verbose "Retrieving SID for account '$Account'"

$AdObj = New-Object System.Security.Principal.NTAccount($Account)
$SID = $AdObj.Translate([System.Security.Principal.SecurityIdentifier])
Write-Verbose "Found SID for account $($SID.Value)"

$w = wevtutil gl $LogName
$channelAccess = $w[5]

if ($channelAccess.Contains('channelAccess:')) {

$str = $channelAccess.Replace('channelAccess: ','')

if ($str.Contains($SID.Value) -eq $false) {
$newstr = $str +"(A;;0x3;;;"+$SID.Value+")"
Write-Verbose "Adding '$newstr'"
wevtutil sl $LogName /ca:$newstr
Write-Verbose "Update complete new value is"
wevtutil gl $LogName
}
else {
Write-Verbose "Update not needed"
}
}





share|improve this answer
























  • Thanks. I'll give this a try in a couple of weeks. Out of the country at the moment.

    – mbmast
    Sep 12 '16 at 12:49











  • See my update. I tried you suggestion.

    – mbmast
    Dec 3 '16 at 20:39
















0














Puzzling stuff together on the internet I've created this little script for it:



<# 
.SYNOPSIS
Add write permissions to the Windows Event Log for a specific AD object.

.DESCRIPTION
Add write permissions to the Windows Event Log for a specific AD object.

.PARAMETER Account
Active directory object that needs write permissions.

.PARAMETER LogName
Name of the log where we grant permissions

.EXAMPLE
./script.ps! -Account 'Domain users' -LogName Application

.NOTES
CHANGELOG
2016/09/12 Script born #>

Param (
[String]$Account = 'Bob',
[String]$LogName = 'Application'
)

Write-Verbose "Retrieving SID for account '$Account'"

$AdObj = New-Object System.Security.Principal.NTAccount($Account)
$SID = $AdObj.Translate([System.Security.Principal.SecurityIdentifier])
Write-Verbose "Found SID for account $($SID.Value)"

$w = wevtutil gl $LogName
$channelAccess = $w[5]

if ($channelAccess.Contains('channelAccess:')) {

$str = $channelAccess.Replace('channelAccess: ','')

if ($str.Contains($SID.Value) -eq $false) {
$newstr = $str +"(A;;0x3;;;"+$SID.Value+")"
Write-Verbose "Adding '$newstr'"
wevtutil sl $LogName /ca:$newstr
Write-Verbose "Update complete new value is"
wevtutil gl $LogName
}
else {
Write-Verbose "Update not needed"
}
}





share|improve this answer
























  • Thanks. I'll give this a try in a couple of weeks. Out of the country at the moment.

    – mbmast
    Sep 12 '16 at 12:49











  • See my update. I tried you suggestion.

    – mbmast
    Dec 3 '16 at 20:39














0












0








0







Puzzling stuff together on the internet I've created this little script for it:



<# 
.SYNOPSIS
Add write permissions to the Windows Event Log for a specific AD object.

.DESCRIPTION
Add write permissions to the Windows Event Log for a specific AD object.

.PARAMETER Account
Active directory object that needs write permissions.

.PARAMETER LogName
Name of the log where we grant permissions

.EXAMPLE
./script.ps! -Account 'Domain users' -LogName Application

.NOTES
CHANGELOG
2016/09/12 Script born #>

Param (
[String]$Account = 'Bob',
[String]$LogName = 'Application'
)

Write-Verbose "Retrieving SID for account '$Account'"

$AdObj = New-Object System.Security.Principal.NTAccount($Account)
$SID = $AdObj.Translate([System.Security.Principal.SecurityIdentifier])
Write-Verbose "Found SID for account $($SID.Value)"

$w = wevtutil gl $LogName
$channelAccess = $w[5]

if ($channelAccess.Contains('channelAccess:')) {

$str = $channelAccess.Replace('channelAccess: ','')

if ($str.Contains($SID.Value) -eq $false) {
$newstr = $str +"(A;;0x3;;;"+$SID.Value+")"
Write-Verbose "Adding '$newstr'"
wevtutil sl $LogName /ca:$newstr
Write-Verbose "Update complete new value is"
wevtutil gl $LogName
}
else {
Write-Verbose "Update not needed"
}
}





share|improve this answer













Puzzling stuff together on the internet I've created this little script for it:



<# 
.SYNOPSIS
Add write permissions to the Windows Event Log for a specific AD object.

.DESCRIPTION
Add write permissions to the Windows Event Log for a specific AD object.

.PARAMETER Account
Active directory object that needs write permissions.

.PARAMETER LogName
Name of the log where we grant permissions

.EXAMPLE
./script.ps! -Account 'Domain users' -LogName Application

.NOTES
CHANGELOG
2016/09/12 Script born #>

Param (
[String]$Account = 'Bob',
[String]$LogName = 'Application'
)

Write-Verbose "Retrieving SID for account '$Account'"

$AdObj = New-Object System.Security.Principal.NTAccount($Account)
$SID = $AdObj.Translate([System.Security.Principal.SecurityIdentifier])
Write-Verbose "Found SID for account $($SID.Value)"

$w = wevtutil gl $LogName
$channelAccess = $w[5]

if ($channelAccess.Contains('channelAccess:')) {

$str = $channelAccess.Replace('channelAccess: ','')

if ($str.Contains($SID.Value) -eq $false) {
$newstr = $str +"(A;;0x3;;;"+$SID.Value+")"
Write-Verbose "Adding '$newstr'"
wevtutil sl $LogName /ca:$newstr
Write-Verbose "Update complete new value is"
wevtutil gl $LogName
}
else {
Write-Verbose "Update not needed"
}
}






share|improve this answer












share|improve this answer



share|improve this answer










answered Sep 12 '16 at 12:42









user2304170user2304170

1011




1011













  • Thanks. I'll give this a try in a couple of weeks. Out of the country at the moment.

    – mbmast
    Sep 12 '16 at 12:49











  • See my update. I tried you suggestion.

    – mbmast
    Dec 3 '16 at 20:39



















  • Thanks. I'll give this a try in a couple of weeks. Out of the country at the moment.

    – mbmast
    Sep 12 '16 at 12:49











  • See my update. I tried you suggestion.

    – mbmast
    Dec 3 '16 at 20:39

















Thanks. I'll give this a try in a couple of weeks. Out of the country at the moment.

– mbmast
Sep 12 '16 at 12:49





Thanks. I'll give this a try in a couple of weeks. Out of the country at the moment.

– mbmast
Sep 12 '16 at 12:49













See my update. I tried you suggestion.

– mbmast
Dec 3 '16 at 20:39





See my update. I tried you suggestion.

– mbmast
Dec 3 '16 at 20:39













0














I haven't tested this in full but if you go to this registry key:



HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlog


You can right-click on the Eventlog folder and give permissions to the user you want to allow access or you can choose the Event log.



enter image description here






share|improve this answer


























  • This did not work.

    – mbmast
    Dec 3 '16 at 23:01
















0














I haven't tested this in full but if you go to this registry key:



HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlog


You can right-click on the Eventlog folder and give permissions to the user you want to allow access or you can choose the Event log.



enter image description here






share|improve this answer


























  • This did not work.

    – mbmast
    Dec 3 '16 at 23:01














0












0








0







I haven't tested this in full but if you go to this registry key:



HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlog


You can right-click on the Eventlog folder and give permissions to the user you want to allow access or you can choose the Event log.



enter image description here






share|improve this answer















I haven't tested this in full but if you go to this registry key:



HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlog


You can right-click on the Eventlog folder and give permissions to the user you want to allow access or you can choose the Event log.



enter image description here







share|improve this answer














share|improve this answer



share|improve this answer








edited Nov 17 '16 at 1:09









3498DB

16k114862




16k114862










answered Nov 17 '16 at 0:38









user664741user664741

1




1













  • This did not work.

    – mbmast
    Dec 3 '16 at 23:01



















  • This did not work.

    – mbmast
    Dec 3 '16 at 23:01

















This did not work.

– mbmast
Dec 3 '16 at 23:01





This did not work.

– mbmast
Dec 3 '16 at 23:01


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1052830%2fhow-to-grant-write-access-to-windows-server-2012-r2-application-event-log%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

VNC viewer RFB protocol error: bad desktop size 0x0I Cannot Type the Key 'd' (lowercase) in VNC Viewer...

Couldn't open a raw socket. Error: Permission denied (13) (nmap)Is it possible to run networking commands...

Why not use the yoke to control yaw, as well as pitch and roll? Announcing the arrival of...