How to Grant Write Access to Windows Server 2012 R2 Application Event LogHow to make user not be part of...

Binary Numbers Magic Trick

Was there a Viking Exchange as well as a Columbian one?

What is the most expensive material in the world that could be used to create Pun-Pun's lute?

Stop and Take a Breath!

How to reduce LED flash rate (frequency)

What is the difference between `command a[bc]d` and `command `a{b,c}d`

Using a Lyapunov function to classify stability and sketching a phase portrait

Why is it that the natural deduction method can't test for invalidity?

Do I have an "anti-research" personality?

Why does nature favour the Laplacian?

Why do Computer Science majors learn Calculus?

Controversial area of mathematics

Noun clause (singular all the time?)

How do I reattach a shelf to the wall when it ripped out of the wall?

What makes accurate emulation of old systems a difficult task?

With a Canadian student visa, can I spend a night at Vancouver before continuing to Toronto?

What route did the Hindenburg take when traveling from Germany to the U.S.?

How did Captain America manage to do this?

How can the Zone of Truth spell be defeated without the caster knowing?

Meaning of Bloch representation

What happened to Captain America in Endgame?

Error message with tabularx

How to pronounce 'C++' in Spanish

Critique of timeline aesthetic



How to Grant Write Access to Windows Server 2012 R2 Application Event Log


How to make user not be part of Users group in Windows?How to specify SIDs in Security Policy?How to protect an SMB shared directory with a password on WIndows Server 2008?Newly Created Domain Admin has Less PermissionsSharing and Security permissions for domain and local users and groupsFile permissions “Administrators: Full Control”. Why isn't it always sufficient?Failed Authentication Against Windows Server 2012 R2 RADIUS Using PAPAdministrator being asked for admin password when running admin programsUse icacls to give only read+execute accessExchange inherited permissions






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







2















I'm running Windows Server 2012 R2 and under that I'm running VMWare Workstation Pro. When Workstation is installed, the user Group __vmware__ is created for VMWare Workstation users. I've added my host machine (i.e. Windows Server 2012 R2) user account (a member of Users, not a member of Administrators) to the __vmware__ Group.



On the host I'd like to create event log entries in the Application event log while running as my user account related to the state of the virtual machines running under VMWare.



From a command window on the host, I type whoami all and get the following:



USER INFORMATION

----------------



User Name SID

========= ==============================================

mtemike  S-1-5-21-1052476717-3500785571-2838594007-1118





GROUP INFORMATION

-----------------



Group Name                                 Type             SID

                           Attributes



========================================== ================ ====================

========================== =====================================================

==========

Everyone                                   Well-known group S-1-1-0

                           Mandatory group, Enabled by default, Enabled group



BUILTINUsers                              Alias            S-1-5-32-545

                           Mandatory group, Enabled by default, Enabled group



BUILTINCertificate Service DCOM Access    Alias            S-1-5-32-574

                           Mandatory group, Enabled by default, Enabled group



BUILTINPre-Windows 2000 Compatible Access Alias            S-1-5-32-554

                           Group used for deny only



NT AUTHORITYINTERACTIVE                   Well-known group S-1-5-4

                           Mandatory group, Enabled by default, Enabled group



CONSOLE LOGON                              Well-known group S-1-2-1

                           Mandatory group, Enabled by default, Enabled group



NT AUTHORITYAuthenticated Users           Well-known group S-1-5-11

                           Mandatory group, Enabled by default, Enabled group



NT AUTHORITYThis Organization             Well-known group S-1-5-15

                           Mandatory group, Enabled by default, Enabled group



LOCAL                                      Well-known group S-1-2-0

                           Mandatory group, Enabled by default, Enabled group



Authentication authority asserted identity Well-known group S-1-18-1

                           Mandatory group, Enabled by default, Enabled group



MTE__vmware__                             Alias            S-1-5-21-1052476717-

3500785571-2838594007-1131 Mandatory group, Enabled by default, Enabled group, L

ocal Group

Mandatory LabelMedium Mandatory Level     Label            S-1-16-8192









PRIVILEGES INFORMATION

----------------------



Privilege Name                Description                    State

============================= ============================== ========

SeChangeNotifyPrivilege       Bypass traverse checking       Enabled

SeIncreaseWorkingSetPrivilege Increase a process working set Disabled





USER CLAIMS INFORMATION

-----------------------



User claims unknown.



Kerberos support for Dynamic Access Control on this device has been disabled.


Note that my user account is a member of __vmware__ and the the SID is S-1-5-21-1052476717-3500785571-2838594007-1131.



From an Administrator account, I edit the following registry key:



HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLogApplication



And modify the CustomSD entry as follows:



O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)



Here you can see that the __vmware__ Group has been granted Read and Write access to the Application event log.



Yet, when I attempt to create a log entry:



eventcreate /SO TestEventMsg /Id 1 /D "This is a test message" /T INFORMATION /L Application



I get an Access denied error.



What am I not doing correctly?



UPDATE 2016-12-03



I tried the user2304170's suggestion and this is what I got:



PS C:UsersNetadminDocuments> ./GrantEventLogAccess.ps1 -Account '__vmware__' -LogName Application

Failed to save configuration or activate log Application. Access is denied.

name: Application

enabled: true

type: Admin

owningPublisher:

isolation: Application

channelAccess: O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)

(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)

logging:

  logFileName: %SystemRoot%System32WinevtLogsApplication.evtx

  retention: false

  autoBackup: false

  maxSize: 20971520

publishing:

  fileMax: 1

PS C:UsersNetadminDocuments>





permissions windows-server-2012-r2 event-log







share|improve this question
















bumped to the homepage by Community yesterday


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
















  • Did you run user2304170's suggestion in an admin powershell window?

    – cjb110
    Jul 20 '18 at 12:49











  • Sorry, I can't recall and I've given up using Windows Server as a VM host.

    – mbmast
    Jul 20 '18 at 18:52


















2















I'm running Windows Server 2012 R2 and under that I'm running VMWare Workstation Pro. When Workstation is installed, the user Group __vmware__ is created for VMWare Workstation users. I've added my host machine (i.e. Windows Server 2012 R2) user account (a member of Users, not a member of Administrators) to the __vmware__ Group.



On the host I'd like to create event log entries in the Application event log while running as my user account related to the state of the virtual machines running under VMWare.



From a command window on the host, I type whoami all and get the following:



USER INFORMATION

----------------



User Name SID

========= ==============================================

mtemike  S-1-5-21-1052476717-3500785571-2838594007-1118





GROUP INFORMATION

-----------------



Group Name                                 Type             SID

                           Attributes



========================================== ================ ====================

========================== =====================================================

==========

Everyone                                   Well-known group S-1-1-0

                           Mandatory group, Enabled by default, Enabled group



BUILTINUsers                              Alias            S-1-5-32-545

                           Mandatory group, Enabled by default, Enabled group



BUILTINCertificate Service DCOM Access    Alias            S-1-5-32-574

                           Mandatory group, Enabled by default, Enabled group



BUILTINPre-Windows 2000 Compatible Access Alias            S-1-5-32-554

                           Group used for deny only



NT AUTHORITYINTERACTIVE                   Well-known group S-1-5-4

                           Mandatory group, Enabled by default, Enabled group



CONSOLE LOGON                              Well-known group S-1-2-1

                           Mandatory group, Enabled by default, Enabled group



NT AUTHORITYAuthenticated Users           Well-known group S-1-5-11

                           Mandatory group, Enabled by default, Enabled group



NT AUTHORITYThis Organization             Well-known group S-1-5-15

                           Mandatory group, Enabled by default, Enabled group



LOCAL                                      Well-known group S-1-2-0

                           Mandatory group, Enabled by default, Enabled group



Authentication authority asserted identity Well-known group S-1-18-1

                           Mandatory group, Enabled by default, Enabled group



MTE__vmware__                             Alias            S-1-5-21-1052476717-

3500785571-2838594007-1131 Mandatory group, Enabled by default, Enabled group, L

ocal Group

Mandatory LabelMedium Mandatory Level     Label            S-1-16-8192









PRIVILEGES INFORMATION

----------------------



Privilege Name                Description                    State

============================= ============================== ========

SeChangeNotifyPrivilege       Bypass traverse checking       Enabled

SeIncreaseWorkingSetPrivilege Increase a process working set Disabled





USER CLAIMS INFORMATION

-----------------------



User claims unknown.



Kerberos support for Dynamic Access Control on this device has been disabled.


Note that my user account is a member of __vmware__ and the the SID is S-1-5-21-1052476717-3500785571-2838594007-1131.



From an Administrator account, I edit the following registry key:



HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLogApplication



And modify the CustomSD entry as follows:



O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)



Here you can see that the __vmware__ Group has been granted Read and Write access to the Application event log.



Yet, when I attempt to create a log entry:



eventcreate /SO TestEventMsg /Id 1 /D "This is a test message" /T INFORMATION /L Application



I get an Access denied error.



What am I not doing correctly?



UPDATE 2016-12-03



I tried the user2304170's suggestion and this is what I got:



PS C:UsersNetadminDocuments> ./GrantEventLogAccess.ps1 -Account '__vmware__' -LogName Application

Failed to save configuration or activate log Application. Access is denied.

name: Application

enabled: true

type: Admin

owningPublisher:

isolation: Application

channelAccess: O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)

(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)

logging:

  logFileName: %SystemRoot%System32WinevtLogsApplication.evtx

  retention: false

  autoBackup: false

  maxSize: 20971520

publishing:

  fileMax: 1

PS C:UsersNetadminDocuments>





permissions windows-server-2012-r2 event-log







share|improve this question
















bumped to the homepage by Community yesterday


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
















  • Did you run user2304170's suggestion in an admin powershell window?

    – cjb110
    Jul 20 '18 at 12:49











  • Sorry, I can't recall and I've given up using Windows Server as a VM host.

    – mbmast
    Jul 20 '18 at 18:52














2












2








2








I'm running Windows Server 2012 R2 and under that I'm running VMWare Workstation Pro. When Workstation is installed, the user Group __vmware__ is created for VMWare Workstation users. I've added my host machine (i.e. Windows Server 2012 R2) user account (a member of Users, not a member of Administrators) to the __vmware__ Group.



On the host I'd like to create event log entries in the Application event log while running as my user account related to the state of the virtual machines running under VMWare.



From a command window on the host, I type whoami all and get the following:



USER INFORMATION

----------------



User Name SID

========= ==============================================

mtemike  S-1-5-21-1052476717-3500785571-2838594007-1118





GROUP INFORMATION

-----------------



Group Name                                 Type             SID

                           Attributes



========================================== ================ ====================

========================== =====================================================

==========

Everyone                                   Well-known group S-1-1-0

                           Mandatory group, Enabled by default, Enabled group



BUILTINUsers                              Alias            S-1-5-32-545

                           Mandatory group, Enabled by default, Enabled group



BUILTINCertificate Service DCOM Access    Alias            S-1-5-32-574

                           Mandatory group, Enabled by default, Enabled group



BUILTINPre-Windows 2000 Compatible Access Alias            S-1-5-32-554

                           Group used for deny only



NT AUTHORITYINTERACTIVE                   Well-known group S-1-5-4

                           Mandatory group, Enabled by default, Enabled group



CONSOLE LOGON                              Well-known group S-1-2-1

                           Mandatory group, Enabled by default, Enabled group



NT AUTHORITYAuthenticated Users           Well-known group S-1-5-11

                           Mandatory group, Enabled by default, Enabled group



NT AUTHORITYThis Organization             Well-known group S-1-5-15

                           Mandatory group, Enabled by default, Enabled group



LOCAL                                      Well-known group S-1-2-0

                           Mandatory group, Enabled by default, Enabled group



Authentication authority asserted identity Well-known group S-1-18-1

                           Mandatory group, Enabled by default, Enabled group



MTE__vmware__                             Alias            S-1-5-21-1052476717-

3500785571-2838594007-1131 Mandatory group, Enabled by default, Enabled group, L

ocal Group

Mandatory LabelMedium Mandatory Level     Label            S-1-16-8192









PRIVILEGES INFORMATION

----------------------



Privilege Name                Description                    State

============================= ============================== ========

SeChangeNotifyPrivilege       Bypass traverse checking       Enabled

SeIncreaseWorkingSetPrivilege Increase a process working set Disabled





USER CLAIMS INFORMATION

-----------------------



User claims unknown.



Kerberos support for Dynamic Access Control on this device has been disabled.


Note that my user account is a member of __vmware__ and the the SID is S-1-5-21-1052476717-3500785571-2838594007-1131.



From an Administrator account, I edit the following registry key:



HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLogApplication



And modify the CustomSD entry as follows:



O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)



Here you can see that the __vmware__ Group has been granted Read and Write access to the Application event log.



Yet, when I attempt to create a log entry:



eventcreate /SO TestEventMsg /Id 1 /D "This is a test message" /T INFORMATION /L Application



I get an Access denied error.



What am I not doing correctly?



UPDATE 2016-12-03



I tried the user2304170's suggestion and this is what I got:



PS C:UsersNetadminDocuments> ./GrantEventLogAccess.ps1 -Account '__vmware__' -LogName Application

Failed to save configuration or activate log Application. Access is denied.

name: Application

enabled: true

type: Admin

owningPublisher:

isolation: Application

channelAccess: O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)

(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)

logging:

  logFileName: %SystemRoot%System32WinevtLogsApplication.evtx

  retention: false

  autoBackup: false

  maxSize: 20971520

publishing:

  fileMax: 1

PS C:UsersNetadminDocuments>





permissions windows-server-2012-r2 event-log







share|improve this question
















I'm running Windows Server 2012 R2 and under that I'm running VMWare Workstation Pro. When Workstation is installed, the user Group __vmware__ is created for VMWare Workstation users. I've added my host machine (i.e. Windows Server 2012 R2) user account (a member of Users, not a member of Administrators) to the __vmware__ Group.



On the host I'd like to create event log entries in the Application event log while running as my user account related to the state of the virtual machines running under VMWare.



From a command window on the host, I type whoami all and get the following:



USER INFORMATION

----------------



User Name SID

========= ==============================================

mtemike  S-1-5-21-1052476717-3500785571-2838594007-1118





GROUP INFORMATION

-----------------



Group Name                                 Type             SID

                           Attributes



========================================== ================ ====================

========================== =====================================================

==========

Everyone                                   Well-known group S-1-1-0

                           Mandatory group, Enabled by default, Enabled group



BUILTINUsers                              Alias            S-1-5-32-545

                           Mandatory group, Enabled by default, Enabled group



BUILTINCertificate Service DCOM Access    Alias            S-1-5-32-574

                           Mandatory group, Enabled by default, Enabled group



BUILTINPre-Windows 2000 Compatible Access Alias            S-1-5-32-554

                           Group used for deny only



NT AUTHORITYINTERACTIVE                   Well-known group S-1-5-4

                           Mandatory group, Enabled by default, Enabled group



CONSOLE LOGON                              Well-known group S-1-2-1

                           Mandatory group, Enabled by default, Enabled group



NT AUTHORITYAuthenticated Users           Well-known group S-1-5-11

                           Mandatory group, Enabled by default, Enabled group



NT AUTHORITYThis Organization             Well-known group S-1-5-15

                           Mandatory group, Enabled by default, Enabled group



LOCAL                                      Well-known group S-1-2-0

                           Mandatory group, Enabled by default, Enabled group



Authentication authority asserted identity Well-known group S-1-18-1

                           Mandatory group, Enabled by default, Enabled group



MTE__vmware__                             Alias            S-1-5-21-1052476717-

3500785571-2838594007-1131 Mandatory group, Enabled by default, Enabled group, L

ocal Group

Mandatory LabelMedium Mandatory Level     Label            S-1-16-8192









PRIVILEGES INFORMATION

----------------------



Privilege Name                Description                    State

============================= ============================== ========

SeChangeNotifyPrivilege       Bypass traverse checking       Enabled

SeIncreaseWorkingSetPrivilege Increase a process working set Disabled





USER CLAIMS INFORMATION

-----------------------



User claims unknown.



Kerberos support for Dynamic Access Control on this device has been disabled.


Note that my user account is a member of __vmware__ and the the SID is S-1-5-21-1052476717-3500785571-2838594007-1131.



From an Administrator account, I edit the following registry key:



HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLogApplication



And modify the CustomSD entry as follows:



O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)



Here you can see that the __vmware__ Group has been granted Read and Write access to the Application event log.



Yet, when I attempt to create a log entry:



eventcreate /SO TestEventMsg /Id 1 /D "This is a test message" /T INFORMATION /L Application



I get an Access denied error.



What am I not doing correctly?



UPDATE 2016-12-03



I tried the user2304170's suggestion and this is what I got:



PS C:UsersNetadminDocuments> ./GrantEventLogAccess.ps1 -Account '__vmware__' -LogName Application

Failed to save configuration or activate log Application. Access is denied.

name: Application

enabled: true

type: Admin

owningPublisher:

isolation: Application

channelAccess: O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)

(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)

logging:

  logFileName: %SystemRoot%System32WinevtLogsApplication.evtx

  retention: false

  autoBackup: false

  maxSize: 20971520

publishing:

  fileMax: 1

PS C:UsersNetadminDocuments>





permissions windows-server-2012-r2 event-log




permissions windows-server-2012-r2 event-log






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 3 '16 at 20:38







mbmast

















asked Mar 14 '16 at 19:44









mbmastmbmast

193211




193211





bumped to the homepage by Community yesterday


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







bumped to the homepage by Community yesterday


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.















  • Did you run user2304170's suggestion in an admin powershell window?

    – cjb110
    Jul 20 '18 at 12:49











  • Sorry, I can't recall and I've given up using Windows Server as a VM host.

    – mbmast
    Jul 20 '18 at 18:52



















  • Did you run user2304170's suggestion in an admin powershell window?

    – cjb110
    Jul 20 '18 at 12:49











  • Sorry, I can't recall and I've given up using Windows Server as a VM host.

    – mbmast
    Jul 20 '18 at 18:52

















Did you run user2304170's suggestion in an admin powershell window?

– cjb110
Jul 20 '18 at 12:49





Did you run user2304170's suggestion in an admin powershell window?

– cjb110
Jul 20 '18 at 12:49













Sorry, I can't recall and I've given up using Windows Server as a VM host.

– mbmast
Jul 20 '18 at 18:52





Sorry, I can't recall and I've given up using Windows Server as a VM host.

– mbmast
Jul 20 '18 at 18:52










2 Answers
2






active

oldest

votes


















0














Puzzling stuff together on the internet I've created this little script for it:



<# 

    .SYNOPSIS   

        Add write permissions to the Windows Event Log for a specific AD object.



    .DESCRIPTION

        Add write permissions to the Windows Event Log for a specific AD object.



    .PARAMETER Account 

        Active directory object that needs write permissions.



    .PARAMETER LogName 

        Name of the log where we grant permissions



    .EXAMPLE

        ./script.ps! -Account 'Domain users' -LogName Application



    .NOTES

        CHANGELOG

        2016/09/12 Script born #>



Param (

    [String]$Account = 'Bob',

    [String]$LogName = 'Application'

)



Write-Verbose "Retrieving SID for account '$Account'"



$AdObj = New-Object System.Security.Principal.NTAccount($Account)

$SID = $AdObj.Translate([System.Security.Principal.SecurityIdentifier])

Write-Verbose "Found SID for account $($SID.Value)" 



$w = wevtutil gl $LogName

$channelAccess = $w[5]



if ($channelAccess.Contains('channelAccess:')) {



    $str = $channelAccess.Replace('channelAccess: ','')



    if ($str.Contains($SID.Value) -eq $false) {

        $newstr = $str +"(A;;0x3;;;"+$SID.Value+")"

        Write-Verbose "Adding '$newstr'" 

        wevtutil sl $LogName /ca:$newstr

        Write-Verbose "Update complete new value is"

        wevtutil gl $LogName

    }

    else {

        Write-Verbose "Update not needed"

    }

}





share|improve this answer
























  • Thanks. I'll give this a try in a couple of weeks. Out of the country at the moment.

    – mbmast
    Sep 12 '16 at 12:49











  • See my update. I tried you suggestion.

    – mbmast
    Dec 3 '16 at 20:39



















0














I haven't tested this in full but if you go to this registry key:



HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlog


You can right-click on the Eventlog folder and give permissions to the user you want to allow access or you can choose the Event log.



enter image description here






share|improve this answer


























  • This did not work.

    – mbmast
    Dec 3 '16 at 23:01












Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1052830%2fhow-to-grant-write-access-to-windows-server-2012-r2-application-event-log%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














Puzzling stuff together on the internet I've created this little script for it:



<# 

    .SYNOPSIS   

        Add write permissions to the Windows Event Log for a specific AD object.



    .DESCRIPTION

        Add write permissions to the Windows Event Log for a specific AD object.



    .PARAMETER Account 

        Active directory object that needs write permissions.



    .PARAMETER LogName 

        Name of the log where we grant permissions



    .EXAMPLE

        ./script.ps! -Account 'Domain users' -LogName Application



    .NOTES

        CHANGELOG

        2016/09/12 Script born #>



Param (

    [String]$Account = 'Bob',

    [String]$LogName = 'Application'

)



Write-Verbose "Retrieving SID for account '$Account'"



$AdObj = New-Object System.Security.Principal.NTAccount($Account)

$SID = $AdObj.Translate([System.Security.Principal.SecurityIdentifier])

Write-Verbose "Found SID for account $($SID.Value)" 



$w = wevtutil gl $LogName

$channelAccess = $w[5]



if ($channelAccess.Contains('channelAccess:')) {



    $str = $channelAccess.Replace('channelAccess: ','')



    if ($str.Contains($SID.Value) -eq $false) {

        $newstr = $str +"(A;;0x3;;;"+$SID.Value+")"

        Write-Verbose "Adding '$newstr'" 

        wevtutil sl $LogName /ca:$newstr

        Write-Verbose "Update complete new value is"

        wevtutil gl $LogName

    }

    else {

        Write-Verbose "Update not needed"

    }

}





share|improve this answer
























  • Thanks. I'll give this a try in a couple of weeks. Out of the country at the moment.

    – mbmast
    Sep 12 '16 at 12:49











  • See my update. I tried you suggestion.

    – mbmast
    Dec 3 '16 at 20:39
















0














Puzzling stuff together on the internet I've created this little script for it:



<# 

    .SYNOPSIS   

        Add write permissions to the Windows Event Log for a specific AD object.



    .DESCRIPTION

        Add write permissions to the Windows Event Log for a specific AD object.



    .PARAMETER Account 

        Active directory object that needs write permissions.



    .PARAMETER LogName 

        Name of the log where we grant permissions



    .EXAMPLE

        ./script.ps! -Account 'Domain users' -LogName Application



    .NOTES

        CHANGELOG

        2016/09/12 Script born #>



Param (

    [String]$Account = 'Bob',

    [String]$LogName = 'Application'

)



Write-Verbose "Retrieving SID for account '$Account'"



$AdObj = New-Object System.Security.Principal.NTAccount($Account)

$SID = $AdObj.Translate([System.Security.Principal.SecurityIdentifier])

Write-Verbose "Found SID for account $($SID.Value)" 



$w = wevtutil gl $LogName

$channelAccess = $w[5]



if ($channelAccess.Contains('channelAccess:')) {



    $str = $channelAccess.Replace('channelAccess: ','')



    if ($str.Contains($SID.Value) -eq $false) {

        $newstr = $str +"(A;;0x3;;;"+$SID.Value+")"

        Write-Verbose "Adding '$newstr'" 

        wevtutil sl $LogName /ca:$newstr

        Write-Verbose "Update complete new value is"

        wevtutil gl $LogName

    }

    else {

        Write-Verbose "Update not needed"

    }

}





share|improve this answer
























  • Thanks. I'll give this a try in a couple of weeks. Out of the country at the moment.

    – mbmast
    Sep 12 '16 at 12:49











  • See my update. I tried you suggestion.

    – mbmast
    Dec 3 '16 at 20:39














0












0








0







Puzzling stuff together on the internet I've created this little script for it:



<# 

    .SYNOPSIS   

        Add write permissions to the Windows Event Log for a specific AD object.



    .DESCRIPTION

        Add write permissions to the Windows Event Log for a specific AD object.



    .PARAMETER Account 

        Active directory object that needs write permissions.



    .PARAMETER LogName 

        Name of the log where we grant permissions



    .EXAMPLE

        ./script.ps! -Account 'Domain users' -LogName Application



    .NOTES

        CHANGELOG

        2016/09/12 Script born #>



Param (

    [String]$Account = 'Bob',

    [String]$LogName = 'Application'

)



Write-Verbose "Retrieving SID for account '$Account'"



$AdObj = New-Object System.Security.Principal.NTAccount($Account)

$SID = $AdObj.Translate([System.Security.Principal.SecurityIdentifier])

Write-Verbose "Found SID for account $($SID.Value)" 



$w = wevtutil gl $LogName

$channelAccess = $w[5]



if ($channelAccess.Contains('channelAccess:')) {



    $str = $channelAccess.Replace('channelAccess: ','')



    if ($str.Contains($SID.Value) -eq $false) {

        $newstr = $str +"(A;;0x3;;;"+$SID.Value+")"

        Write-Verbose "Adding '$newstr'" 

        wevtutil sl $LogName /ca:$newstr

        Write-Verbose "Update complete new value is"

        wevtutil gl $LogName

    }

    else {

        Write-Verbose "Update not needed"

    }

}





share|improve this answer













Puzzling stuff together on the internet I've created this little script for it:



<# 

    .SYNOPSIS   

        Add write permissions to the Windows Event Log for a specific AD object.



    .DESCRIPTION

        Add write permissions to the Windows Event Log for a specific AD object.



    .PARAMETER Account 

        Active directory object that needs write permissions.



    .PARAMETER LogName 

        Name of the log where we grant permissions



    .EXAMPLE

        ./script.ps! -Account 'Domain users' -LogName Application



    .NOTES

        CHANGELOG

        2016/09/12 Script born #>



Param (

    [String]$Account = 'Bob',

    [String]$LogName = 'Application'

)



Write-Verbose "Retrieving SID for account '$Account'"



$AdObj = New-Object System.Security.Principal.NTAccount($Account)

$SID = $AdObj.Translate([System.Security.Principal.SecurityIdentifier])

Write-Verbose "Found SID for account $($SID.Value)" 



$w = wevtutil gl $LogName

$channelAccess = $w[5]



if ($channelAccess.Contains('channelAccess:')) {



    $str = $channelAccess.Replace('channelAccess: ','')



    if ($str.Contains($SID.Value) -eq $false) {

        $newstr = $str +"(A;;0x3;;;"+$SID.Value+")"

        Write-Verbose "Adding '$newstr'" 

        wevtutil sl $LogName /ca:$newstr

        Write-Verbose "Update complete new value is"

        wevtutil gl $LogName

    }

    else {

        Write-Verbose "Update not needed"

    }

}






share|improve this answer












share|improve this answer



share|improve this answer










answered Sep 12 '16 at 12:42









user2304170user2304170

1011




1011













  • Thanks. I'll give this a try in a couple of weeks. Out of the country at the moment.

    – mbmast
    Sep 12 '16 at 12:49











  • See my update. I tried you suggestion.

    – mbmast
    Dec 3 '16 at 20:39



















  • Thanks. I'll give this a try in a couple of weeks. Out of the country at the moment.

    – mbmast
    Sep 12 '16 at 12:49











  • See my update. I tried you suggestion.

    – mbmast
    Dec 3 '16 at 20:39

















Thanks. I'll give this a try in a couple of weeks. Out of the country at the moment.

– mbmast
Sep 12 '16 at 12:49





Thanks. I'll give this a try in a couple of weeks. Out of the country at the moment.

– mbmast
Sep 12 '16 at 12:49













See my update. I tried you suggestion.

– mbmast
Dec 3 '16 at 20:39





See my update. I tried you suggestion.

– mbmast
Dec 3 '16 at 20:39













0














I haven't tested this in full but if you go to this registry key:



HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlog


You can right-click on the Eventlog folder and give permissions to the user you want to allow access or you can choose the Event log.



enter image description here






share|improve this answer


























  • This did not work.

    – mbmast
    Dec 3 '16 at 23:01
















0














I haven't tested this in full but if you go to this registry key:



HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlog


You can right-click on the Eventlog folder and give permissions to the user you want to allow access or you can choose the Event log.



enter image description here






share|improve this answer


























  • This did not work.

    – mbmast
    Dec 3 '16 at 23:01














0












0








0







I haven't tested this in full but if you go to this registry key:



HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlog


You can right-click on the Eventlog folder and give permissions to the user you want to allow access or you can choose the Event log.



enter image description here






share|improve this answer















I haven't tested this in full but if you go to this registry key:



HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlog


You can right-click on the Eventlog folder and give permissions to the user you want to allow access or you can choose the Event log.



enter image description here







share|improve this answer














share|improve this answer



share|improve this answer








edited Nov 17 '16 at 1:09









3498DB

16k114862




16k114862










answered Nov 17 '16 at 0:38









user664741user664741

1




1













  • This did not work.

    – mbmast
    Dec 3 '16 at 23:01



















  • This did not work.

    – mbmast
    Dec 3 '16 at 23:01

















This did not work.

– mbmast
Dec 3 '16 at 23:01





This did not work.

– mbmast
Dec 3 '16 at 23:01


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1052830%2fhow-to-grant-write-access-to-windows-server-2012-r2-application-event-log%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

VNC viewer RFB protocol error: bad desktop size 0x0I Cannot Type the Key 'd' (lowercase) in VNC Viewer...

Image
risk of flooding in petra in november How to get directions in deep space? How could a planet have erratic days? 15% tax on $7.5k earnings. Is that right? Did the UK lift the requirement for registering SIM cards? Is it allowed to activate the ability of multiple planeswalkers in a single turn? Stack Interview Code methods made from class Node and Smart Pointers Non-trope happy ending? What is the highest possible scrabble score for placing a single tile Open a doc from terminal, but not by its name The IT department bottlenecks progress, how should I handle this?
Read more

Tribunal Administrativo e Fiscal de Mirandela Referências Menu de...

Image
Tribunais de Portugal TribunalportuguêsMirandelaTribunalTribunal Central Administrativo Norte Tribunal Administrativo e Fiscal de Mirandela Organização País Portugal Sede Mirandela Site oficial https://mirandela.taf.mj.pt Jurisdição Tipo Tribunal de julgamento Jurisdição Territorial Distritos de Bragança e Vila Real Competência Contencioso Administrativo Contencioso Tributário Tribunal de Recurso Tribunal Central Administrativo Norte
Read more

looking for continuous Screen Capture for retroactivly reproducing errors, timeback machineRolling desktop...

Image
How can the Zone of Truth spell be defeated without the caster knowing? How can I place the product on a social media post better? How to type a section sign (§) into the Minecraft client How exactly does Hawking radiation decrease the mass of black holes? Rivers without rain Meaning of Bloch representation What happened to Captain America in Endgame? Are Boeing 737-800’s grounded? The Defining Moment Why do Computer Science majors learn Calculus? Critique of timeline aesthetic Why do games have consumables? How mu
Read more