How to Grant Write Access to Windows Server 2012 R2 Application Event Log












2














I'm running Windows Server 2012 R2 and under that I'm running VMWare Workstation Pro. When Workstation is installed, the user Group __vmware__ is created for VMWare Workstation users. I've added my host machine (i.e. Windows Server 2012 R2) user account (a member of Users, not a member of Administrators) to the __vmware__ Group.



On the host I'd like to create event log entries in the Application event log while running as my user account related to the state of the virtual machines running under VMWare.



From a command window on the host, I type whoami all and get the following:



USER INFORMATION

----------------



User Name SID

========= ==============================================

mtemike  S-1-5-21-1052476717-3500785571-2838594007-1118





GROUP INFORMATION

-----------------



Group Name                                 Type             SID

                           Attributes



========================================== ================ ====================

========================== =====================================================

==========

Everyone                                   Well-known group S-1-1-0

                           Mandatory group, Enabled by default, Enabled group



BUILTINUsers                              Alias            S-1-5-32-545

                           Mandatory group, Enabled by default, Enabled group



BUILTINCertificate Service DCOM Access    Alias            S-1-5-32-574

                           Mandatory group, Enabled by default, Enabled group



BUILTINPre-Windows 2000 Compatible Access Alias            S-1-5-32-554

                           Group used for deny only



NT AUTHORITYINTERACTIVE                   Well-known group S-1-5-4

                           Mandatory group, Enabled by default, Enabled group



CONSOLE LOGON                              Well-known group S-1-2-1

                           Mandatory group, Enabled by default, Enabled group



NT AUTHORITYAuthenticated Users           Well-known group S-1-5-11

                           Mandatory group, Enabled by default, Enabled group



NT AUTHORITYThis Organization             Well-known group S-1-5-15

                           Mandatory group, Enabled by default, Enabled group



LOCAL                                      Well-known group S-1-2-0

                           Mandatory group, Enabled by default, Enabled group



Authentication authority asserted identity Well-known group S-1-18-1

                           Mandatory group, Enabled by default, Enabled group



MTE__vmware__                             Alias            S-1-5-21-1052476717-

3500785571-2838594007-1131 Mandatory group, Enabled by default, Enabled group, L

ocal Group

Mandatory LabelMedium Mandatory Level     Label            S-1-16-8192









PRIVILEGES INFORMATION

----------------------



Privilege Name                Description                    State

============================= ============================== ========

SeChangeNotifyPrivilege       Bypass traverse checking       Enabled

SeIncreaseWorkingSetPrivilege Increase a process working set Disabled





USER CLAIMS INFORMATION

-----------------------



User claims unknown.



Kerberos support for Dynamic Access Control on this device has been disabled.


Note that my user account is a member of __vmware__ and the the SID is S-1-5-21-1052476717-3500785571-2838594007-1131.



From an Administrator account, I edit the following registry key:



HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLogApplication



And modify the CustomSD entry as follows:



O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)



Here you can see that the __vmware__ Group has been granted Read and Write access to the Application event log.



Yet, when I attempt to create a log entry:



eventcreate /SO TestEventMsg /Id 1 /D "This is a test message" /T INFORMATION /L Application



I get an Access denied error.



What am I not doing correctly?



UPDATE 2016-12-03



I tried the user2304170's suggestion and this is what I got:



PS C:UsersNetadminDocuments> ./GrantEventLogAccess.ps1 -Account '__vmware__' -LogName Application

Failed to save configuration or activate log Application. Access is denied.

name: Application

enabled: true

type: Admin

owningPublisher:

isolation: Application

channelAccess: O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)

(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)

logging:

  logFileName: %SystemRoot%System32WinevtLogsApplication.evtx

  retention: false

  autoBackup: false

  maxSize: 20971520

publishing:

  fileMax: 1

PS C:UsersNetadminDocuments>





permissions windows-server-2012-r2 event-log







share|improve this question
























  • Did you run user2304170's suggestion in an admin powershell window?
    – cjb110
    Jul 20 '18 at 12:49










  • Sorry, I can't recall and I've given up using Windows Server as a VM host.
    – mbmast
    Jul 20 '18 at 18:52
















2














I'm running Windows Server 2012 R2 and under that I'm running VMWare Workstation Pro. When Workstation is installed, the user Group __vmware__ is created for VMWare Workstation users. I've added my host machine (i.e. Windows Server 2012 R2) user account (a member of Users, not a member of Administrators) to the __vmware__ Group.



On the host I'd like to create event log entries in the Application event log while running as my user account related to the state of the virtual machines running under VMWare.



From a command window on the host, I type whoami all and get the following:



USER INFORMATION

----------------



User Name SID

========= ==============================================

mtemike  S-1-5-21-1052476717-3500785571-2838594007-1118





GROUP INFORMATION

-----------------



Group Name                                 Type             SID

                           Attributes



========================================== ================ ====================

========================== =====================================================

==========

Everyone                                   Well-known group S-1-1-0

                           Mandatory group, Enabled by default, Enabled group



BUILTINUsers                              Alias            S-1-5-32-545

                           Mandatory group, Enabled by default, Enabled group



BUILTINCertificate Service DCOM Access    Alias            S-1-5-32-574

                           Mandatory group, Enabled by default, Enabled group



BUILTINPre-Windows 2000 Compatible Access Alias            S-1-5-32-554

                           Group used for deny only



NT AUTHORITYINTERACTIVE                   Well-known group S-1-5-4

                           Mandatory group, Enabled by default, Enabled group



CONSOLE LOGON                              Well-known group S-1-2-1

                           Mandatory group, Enabled by default, Enabled group



NT AUTHORITYAuthenticated Users           Well-known group S-1-5-11

                           Mandatory group, Enabled by default, Enabled group



NT AUTHORITYThis Organization             Well-known group S-1-5-15

                           Mandatory group, Enabled by default, Enabled group



LOCAL                                      Well-known group S-1-2-0

                           Mandatory group, Enabled by default, Enabled group



Authentication authority asserted identity Well-known group S-1-18-1

                           Mandatory group, Enabled by default, Enabled group



MTE__vmware__                             Alias            S-1-5-21-1052476717-

3500785571-2838594007-1131 Mandatory group, Enabled by default, Enabled group, L

ocal Group

Mandatory LabelMedium Mandatory Level     Label            S-1-16-8192









PRIVILEGES INFORMATION

----------------------



Privilege Name                Description                    State

============================= ============================== ========

SeChangeNotifyPrivilege       Bypass traverse checking       Enabled

SeIncreaseWorkingSetPrivilege Increase a process working set Disabled





USER CLAIMS INFORMATION

-----------------------



User claims unknown.



Kerberos support for Dynamic Access Control on this device has been disabled.


Note that my user account is a member of __vmware__ and the the SID is S-1-5-21-1052476717-3500785571-2838594007-1131.



From an Administrator account, I edit the following registry key:



HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLogApplication



And modify the CustomSD entry as follows:



O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)



Here you can see that the __vmware__ Group has been granted Read and Write access to the Application event log.



Yet, when I attempt to create a log entry:



eventcreate /SO TestEventMsg /Id 1 /D "This is a test message" /T INFORMATION /L Application



I get an Access denied error.



What am I not doing correctly?



UPDATE 2016-12-03



I tried the user2304170's suggestion and this is what I got:



PS C:UsersNetadminDocuments> ./GrantEventLogAccess.ps1 -Account '__vmware__' -LogName Application

Failed to save configuration or activate log Application. Access is denied.

name: Application

enabled: true

type: Admin

owningPublisher:

isolation: Application

channelAccess: O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)

(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)

logging:

  logFileName: %SystemRoot%System32WinevtLogsApplication.evtx

  retention: false

  autoBackup: false

  maxSize: 20971520

publishing:

  fileMax: 1

PS C:UsersNetadminDocuments>





permissions windows-server-2012-r2 event-log







share|improve this question
























  • Did you run user2304170's suggestion in an admin powershell window?
    – cjb110
    Jul 20 '18 at 12:49










  • Sorry, I can't recall and I've given up using Windows Server as a VM host.
    – mbmast
    Jul 20 '18 at 18:52














2












2








2







I'm running Windows Server 2012 R2 and under that I'm running VMWare Workstation Pro. When Workstation is installed, the user Group __vmware__ is created for VMWare Workstation users. I've added my host machine (i.e. Windows Server 2012 R2) user account (a member of Users, not a member of Administrators) to the __vmware__ Group.



On the host I'd like to create event log entries in the Application event log while running as my user account related to the state of the virtual machines running under VMWare.



From a command window on the host, I type whoami all and get the following:



USER INFORMATION

----------------



User Name SID

========= ==============================================

mtemike  S-1-5-21-1052476717-3500785571-2838594007-1118





GROUP INFORMATION

-----------------



Group Name                                 Type             SID

                           Attributes



========================================== ================ ====================

========================== =====================================================

==========

Everyone                                   Well-known group S-1-1-0

                           Mandatory group, Enabled by default, Enabled group



BUILTINUsers                              Alias            S-1-5-32-545

                           Mandatory group, Enabled by default, Enabled group



BUILTINCertificate Service DCOM Access    Alias            S-1-5-32-574

                           Mandatory group, Enabled by default, Enabled group



BUILTINPre-Windows 2000 Compatible Access Alias            S-1-5-32-554

                           Group used for deny only



NT AUTHORITYINTERACTIVE                   Well-known group S-1-5-4

                           Mandatory group, Enabled by default, Enabled group



CONSOLE LOGON                              Well-known group S-1-2-1

                           Mandatory group, Enabled by default, Enabled group



NT AUTHORITYAuthenticated Users           Well-known group S-1-5-11

                           Mandatory group, Enabled by default, Enabled group



NT AUTHORITYThis Organization             Well-known group S-1-5-15

                           Mandatory group, Enabled by default, Enabled group



LOCAL                                      Well-known group S-1-2-0

                           Mandatory group, Enabled by default, Enabled group



Authentication authority asserted identity Well-known group S-1-18-1

                           Mandatory group, Enabled by default, Enabled group



MTE__vmware__                             Alias            S-1-5-21-1052476717-

3500785571-2838594007-1131 Mandatory group, Enabled by default, Enabled group, L

ocal Group

Mandatory LabelMedium Mandatory Level     Label            S-1-16-8192









PRIVILEGES INFORMATION

----------------------



Privilege Name                Description                    State

============================= ============================== ========

SeChangeNotifyPrivilege       Bypass traverse checking       Enabled

SeIncreaseWorkingSetPrivilege Increase a process working set Disabled





USER CLAIMS INFORMATION

-----------------------



User claims unknown.



Kerberos support for Dynamic Access Control on this device has been disabled.


Note that my user account is a member of __vmware__ and the the SID is S-1-5-21-1052476717-3500785571-2838594007-1131.



From an Administrator account, I edit the following registry key:



HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLogApplication



And modify the CustomSD entry as follows:



O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)



Here you can see that the __vmware__ Group has been granted Read and Write access to the Application event log.



Yet, when I attempt to create a log entry:



eventcreate /SO TestEventMsg /Id 1 /D "This is a test message" /T INFORMATION /L Application



I get an Access denied error.



What am I not doing correctly?



UPDATE 2016-12-03



I tried the user2304170's suggestion and this is what I got:



PS C:UsersNetadminDocuments> ./GrantEventLogAccess.ps1 -Account '__vmware__' -LogName Application

Failed to save configuration or activate log Application. Access is denied.

name: Application

enabled: true

type: Admin

owningPublisher:

isolation: Application

channelAccess: O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)

(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)

logging:

  logFileName: %SystemRoot%System32WinevtLogsApplication.evtx

  retention: false

  autoBackup: false

  maxSize: 20971520

publishing:

  fileMax: 1

PS C:UsersNetadminDocuments>





permissions windows-server-2012-r2 event-log







share|improve this question















I'm running Windows Server 2012 R2 and under that I'm running VMWare Workstation Pro. When Workstation is installed, the user Group __vmware__ is created for VMWare Workstation users. I've added my host machine (i.e. Windows Server 2012 R2) user account (a member of Users, not a member of Administrators) to the __vmware__ Group.



On the host I'd like to create event log entries in the Application event log while running as my user account related to the state of the virtual machines running under VMWare.



From a command window on the host, I type whoami all and get the following:



USER INFORMATION

----------------



User Name SID

========= ==============================================

mtemike  S-1-5-21-1052476717-3500785571-2838594007-1118





GROUP INFORMATION

-----------------



Group Name                                 Type             SID

                           Attributes



========================================== ================ ====================

========================== =====================================================

==========

Everyone                                   Well-known group S-1-1-0

                           Mandatory group, Enabled by default, Enabled group



BUILTINUsers                              Alias            S-1-5-32-545

                           Mandatory group, Enabled by default, Enabled group



BUILTINCertificate Service DCOM Access    Alias            S-1-5-32-574

                           Mandatory group, Enabled by default, Enabled group



BUILTINPre-Windows 2000 Compatible Access Alias            S-1-5-32-554

                           Group used for deny only



NT AUTHORITYINTERACTIVE                   Well-known group S-1-5-4

                           Mandatory group, Enabled by default, Enabled group



CONSOLE LOGON                              Well-known group S-1-2-1

                           Mandatory group, Enabled by default, Enabled group



NT AUTHORITYAuthenticated Users           Well-known group S-1-5-11

                           Mandatory group, Enabled by default, Enabled group



NT AUTHORITYThis Organization             Well-known group S-1-5-15

                           Mandatory group, Enabled by default, Enabled group



LOCAL                                      Well-known group S-1-2-0

                           Mandatory group, Enabled by default, Enabled group



Authentication authority asserted identity Well-known group S-1-18-1

                           Mandatory group, Enabled by default, Enabled group



MTE__vmware__                             Alias            S-1-5-21-1052476717-

3500785571-2838594007-1131 Mandatory group, Enabled by default, Enabled group, L

ocal Group

Mandatory LabelMedium Mandatory Level     Label            S-1-16-8192









PRIVILEGES INFORMATION

----------------------



Privilege Name                Description                    State

============================= ============================== ========

SeChangeNotifyPrivilege       Bypass traverse checking       Enabled

SeIncreaseWorkingSetPrivilege Increase a process working set Disabled





USER CLAIMS INFORMATION

-----------------------



User claims unknown.



Kerberos support for Dynamic Access Control on this device has been disabled.


Note that my user account is a member of __vmware__ and the the SID is S-1-5-21-1052476717-3500785571-2838594007-1131.



From an Administrator account, I edit the following registry key:



HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLogApplication



And modify the CustomSD entry as follows:



O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)



Here you can see that the __vmware__ Group has been granted Read and Write access to the Application event log.



Yet, when I attempt to create a log entry:



eventcreate /SO TestEventMsg /Id 1 /D "This is a test message" /T INFORMATION /L Application



I get an Access denied error.



What am I not doing correctly?



UPDATE 2016-12-03



I tried the user2304170's suggestion and this is what I got:



PS C:UsersNetadminDocuments> ./GrantEventLogAccess.ps1 -Account '__vmware__' -LogName Application

Failed to save configuration or activate log Application. Access is denied.

name: Application

enabled: true

type: Admin

owningPublisher:

isolation: Application

channelAccess: O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)

(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)

logging:

  logFileName: %SystemRoot%System32WinevtLogsApplication.evtx

  retention: false

  autoBackup: false

  maxSize: 20971520

publishing:

  fileMax: 1

PS C:UsersNetadminDocuments>





permissions windows-server-2012-r2 event-log




permissions windows-server-2012-r2 event-log






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 3 '16 at 20:38

























asked Mar 14 '16 at 19:44









mbmast

193211




193211












  • Did you run user2304170's suggestion in an admin powershell window?
    – cjb110
    Jul 20 '18 at 12:49










  • Sorry, I can't recall and I've given up using Windows Server as a VM host.
    – mbmast
    Jul 20 '18 at 18:52


















  • Did you run user2304170's suggestion in an admin powershell window?
    – cjb110
    Jul 20 '18 at 12:49










  • Sorry, I can't recall and I've given up using Windows Server as a VM host.
    – mbmast
    Jul 20 '18 at 18:52
















Did you run user2304170's suggestion in an admin powershell window?
– cjb110
Jul 20 '18 at 12:49




Did you run user2304170's suggestion in an admin powershell window?
– cjb110
Jul 20 '18 at 12:49












Sorry, I can't recall and I've given up using Windows Server as a VM host.
– mbmast
Jul 20 '18 at 18:52




Sorry, I can't recall and I've given up using Windows Server as a VM host.
– mbmast
Jul 20 '18 at 18:52










2 Answers
2






active

oldest

votes


















0














Puzzling stuff together on the internet I've created this little script for it:



<# 

    .SYNOPSIS   

        Add write permissions to the Windows Event Log for a specific AD object.



    .DESCRIPTION

        Add write permissions to the Windows Event Log for a specific AD object.



    .PARAMETER Account 

        Active directory object that needs write permissions.



    .PARAMETER LogName 

        Name of the log where we grant permissions



    .EXAMPLE

        ./script.ps! -Account 'Domain users' -LogName Application



    .NOTES

        CHANGELOG

        2016/09/12 Script born #>



Param (

    [String]$Account = 'Bob',

    [String]$LogName = 'Application'

)



Write-Verbose "Retrieving SID for account '$Account'"



$AdObj = New-Object System.Security.Principal.NTAccount($Account)

$SID = $AdObj.Translate([System.Security.Principal.SecurityIdentifier])

Write-Verbose "Found SID for account $($SID.Value)" 



$w = wevtutil gl $LogName

$channelAccess = $w[5]



if ($channelAccess.Contains('channelAccess:')) {



    $str = $channelAccess.Replace('channelAccess: ','')



    if ($str.Contains($SID.Value) -eq $false) {

        $newstr = $str +"(A;;0x3;;;"+$SID.Value+")"

        Write-Verbose "Adding '$newstr'" 

        wevtutil sl $LogName /ca:$newstr

        Write-Verbose "Update complete new value is"

        wevtutil gl $LogName

    }

    else {

        Write-Verbose "Update not needed"

    }

}





share|improve this answer





















  • Thanks. I'll give this a try in a couple of weeks. Out of the country at the moment.
    – mbmast
    Sep 12 '16 at 12:49










  • See my update. I tried you suggestion.
    – mbmast
    Dec 3 '16 at 20:39



















0














I haven't tested this in full but if you go to this registry key:



HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlog


You can right-click on the Eventlog folder and give permissions to the user you want to allow access or you can choose the Event log.



enter image description here






share|improve this answer























  • This did not work.
    – mbmast
    Dec 3 '16 at 23:01











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1052830%2fhow-to-grant-write-access-to-windows-server-2012-r2-application-event-log%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














Puzzling stuff together on the internet I've created this little script for it:



<# 

    .SYNOPSIS   

        Add write permissions to the Windows Event Log for a specific AD object.



    .DESCRIPTION

        Add write permissions to the Windows Event Log for a specific AD object.



    .PARAMETER Account 

        Active directory object that needs write permissions.



    .PARAMETER LogName 

        Name of the log where we grant permissions



    .EXAMPLE

        ./script.ps! -Account 'Domain users' -LogName Application



    .NOTES

        CHANGELOG

        2016/09/12 Script born #>



Param (

    [String]$Account = 'Bob',

    [String]$LogName = 'Application'

)



Write-Verbose "Retrieving SID for account '$Account'"



$AdObj = New-Object System.Security.Principal.NTAccount($Account)

$SID = $AdObj.Translate([System.Security.Principal.SecurityIdentifier])

Write-Verbose "Found SID for account $($SID.Value)" 



$w = wevtutil gl $LogName

$channelAccess = $w[5]



if ($channelAccess.Contains('channelAccess:')) {



    $str = $channelAccess.Replace('channelAccess: ','')



    if ($str.Contains($SID.Value) -eq $false) {

        $newstr = $str +"(A;;0x3;;;"+$SID.Value+")"

        Write-Verbose "Adding '$newstr'" 

        wevtutil sl $LogName /ca:$newstr

        Write-Verbose "Update complete new value is"

        wevtutil gl $LogName

    }

    else {

        Write-Verbose "Update not needed"

    }

}





share|improve this answer





















  • Thanks. I'll give this a try in a couple of weeks. Out of the country at the moment.
    – mbmast
    Sep 12 '16 at 12:49










  • See my update. I tried you suggestion.
    – mbmast
    Dec 3 '16 at 20:39
















0














Puzzling stuff together on the internet I've created this little script for it:



<# 

    .SYNOPSIS   

        Add write permissions to the Windows Event Log for a specific AD object.



    .DESCRIPTION

        Add write permissions to the Windows Event Log for a specific AD object.



    .PARAMETER Account 

        Active directory object that needs write permissions.



    .PARAMETER LogName 

        Name of the log where we grant permissions



    .EXAMPLE

        ./script.ps! -Account 'Domain users' -LogName Application



    .NOTES

        CHANGELOG

        2016/09/12 Script born #>



Param (

    [String]$Account = 'Bob',

    [String]$LogName = 'Application'

)



Write-Verbose "Retrieving SID for account '$Account'"



$AdObj = New-Object System.Security.Principal.NTAccount($Account)

$SID = $AdObj.Translate([System.Security.Principal.SecurityIdentifier])

Write-Verbose "Found SID for account $($SID.Value)" 



$w = wevtutil gl $LogName

$channelAccess = $w[5]



if ($channelAccess.Contains('channelAccess:')) {



    $str = $channelAccess.Replace('channelAccess: ','')



    if ($str.Contains($SID.Value) -eq $false) {

        $newstr = $str +"(A;;0x3;;;"+$SID.Value+")"

        Write-Verbose "Adding '$newstr'" 

        wevtutil sl $LogName /ca:$newstr

        Write-Verbose "Update complete new value is"

        wevtutil gl $LogName

    }

    else {

        Write-Verbose "Update not needed"

    }

}





share|improve this answer





















  • Thanks. I'll give this a try in a couple of weeks. Out of the country at the moment.
    – mbmast
    Sep 12 '16 at 12:49










  • See my update. I tried you suggestion.
    – mbmast
    Dec 3 '16 at 20:39














0












0








0






Puzzling stuff together on the internet I've created this little script for it:



<# 

    .SYNOPSIS   

        Add write permissions to the Windows Event Log for a specific AD object.



    .DESCRIPTION

        Add write permissions to the Windows Event Log for a specific AD object.



    .PARAMETER Account 

        Active directory object that needs write permissions.



    .PARAMETER LogName 

        Name of the log where we grant permissions



    .EXAMPLE

        ./script.ps! -Account 'Domain users' -LogName Application



    .NOTES

        CHANGELOG

        2016/09/12 Script born #>



Param (

    [String]$Account = 'Bob',

    [String]$LogName = 'Application'

)



Write-Verbose "Retrieving SID for account '$Account'"



$AdObj = New-Object System.Security.Principal.NTAccount($Account)

$SID = $AdObj.Translate([System.Security.Principal.SecurityIdentifier])

Write-Verbose "Found SID for account $($SID.Value)" 



$w = wevtutil gl $LogName

$channelAccess = $w[5]



if ($channelAccess.Contains('channelAccess:')) {



    $str = $channelAccess.Replace('channelAccess: ','')



    if ($str.Contains($SID.Value) -eq $false) {

        $newstr = $str +"(A;;0x3;;;"+$SID.Value+")"

        Write-Verbose "Adding '$newstr'" 

        wevtutil sl $LogName /ca:$newstr

        Write-Verbose "Update complete new value is"

        wevtutil gl $LogName

    }

    else {

        Write-Verbose "Update not needed"

    }

}





share|improve this answer












Puzzling stuff together on the internet I've created this little script for it:



<# 

    .SYNOPSIS   

        Add write permissions to the Windows Event Log for a specific AD object.



    .DESCRIPTION

        Add write permissions to the Windows Event Log for a specific AD object.



    .PARAMETER Account 

        Active directory object that needs write permissions.



    .PARAMETER LogName 

        Name of the log where we grant permissions



    .EXAMPLE

        ./script.ps! -Account 'Domain users' -LogName Application



    .NOTES

        CHANGELOG

        2016/09/12 Script born #>



Param (

    [String]$Account = 'Bob',

    [String]$LogName = 'Application'

)



Write-Verbose "Retrieving SID for account '$Account'"



$AdObj = New-Object System.Security.Principal.NTAccount($Account)

$SID = $AdObj.Translate([System.Security.Principal.SecurityIdentifier])

Write-Verbose "Found SID for account $($SID.Value)" 



$w = wevtutil gl $LogName

$channelAccess = $w[5]



if ($channelAccess.Contains('channelAccess:')) {



    $str = $channelAccess.Replace('channelAccess: ','')



    if ($str.Contains($SID.Value) -eq $false) {

        $newstr = $str +"(A;;0x3;;;"+$SID.Value+")"

        Write-Verbose "Adding '$newstr'" 

        wevtutil sl $LogName /ca:$newstr

        Write-Verbose "Update complete new value is"

        wevtutil gl $LogName

    }

    else {

        Write-Verbose "Update not needed"

    }

}






share|improve this answer












share|improve this answer



share|improve this answer










answered Sep 12 '16 at 12:42









user2304170

1011




1011












  • Thanks. I'll give this a try in a couple of weeks. Out of the country at the moment.
    – mbmast
    Sep 12 '16 at 12:49










  • See my update. I tried you suggestion.
    – mbmast
    Dec 3 '16 at 20:39


















  • Thanks. I'll give this a try in a couple of weeks. Out of the country at the moment.
    – mbmast
    Sep 12 '16 at 12:49










  • See my update. I tried you suggestion.
    – mbmast
    Dec 3 '16 at 20:39
















Thanks. I'll give this a try in a couple of weeks. Out of the country at the moment.
– mbmast
Sep 12 '16 at 12:49




Thanks. I'll give this a try in a couple of weeks. Out of the country at the moment.
– mbmast
Sep 12 '16 at 12:49












See my update. I tried you suggestion.
– mbmast
Dec 3 '16 at 20:39




See my update. I tried you suggestion.
– mbmast
Dec 3 '16 at 20:39













0














I haven't tested this in full but if you go to this registry key:



HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlog


You can right-click on the Eventlog folder and give permissions to the user you want to allow access or you can choose the Event log.



enter image description here






share|improve this answer























  • This did not work.
    – mbmast
    Dec 3 '16 at 23:01
















0














I haven't tested this in full but if you go to this registry key:



HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlog


You can right-click on the Eventlog folder and give permissions to the user you want to allow access or you can choose the Event log.



enter image description here






share|improve this answer























  • This did not work.
    – mbmast
    Dec 3 '16 at 23:01














0












0








0






I haven't tested this in full but if you go to this registry key:



HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlog


You can right-click on the Eventlog folder and give permissions to the user you want to allow access or you can choose the Event log.



enter image description here






share|improve this answer














I haven't tested this in full but if you go to this registry key:



HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlog


You can right-click on the Eventlog folder and give permissions to the user you want to allow access or you can choose the Event log.



enter image description here







share|improve this answer














share|improve this answer



share|improve this answer








edited Nov 17 '16 at 1:09









3498DB

15.7k114762




15.7k114762










answered Nov 17 '16 at 0:38









user664741

1




1












  • This did not work.
    – mbmast
    Dec 3 '16 at 23:01


















  • This did not work.
    – mbmast
    Dec 3 '16 at 23:01
















This did not work.
– mbmast
Dec 3 '16 at 23:01




This did not work.
– mbmast
Dec 3 '16 at 23:01


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1052830%2fhow-to-grant-write-access-to-windows-server-2012-r2-application-event-log%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

AnyDesk - Fatal Program Failure

Image
up vote 0 down vote favorite Good day all. I have a window that pops up saying Fatal Program Failure (AnyDesk). This is what I have done so far: Uninstalled AnyDesk and reinstalled it. ( The window still appeared ) I disabled AnyDesk start up in Msconfig and the window seems to have disapeared. Lastly I made sure that AnyDesk worked by remoting into it, and it worked. Today the same window appeared. How do I get rid of this window? remote-desktop share | improve this question edited 10 hours ago Tomasz Jakub Rup 552 3 13 ...
Read more

How to calibrate 16:9 built-in touch-screen to a 4:3 resolution?

Image
up vote 0 down vote favorite I need help with an issue we're facing in a project where we are moving from a Windows-based POS environment to one running on CentOS7. The problem consists of a number of factors, please find the details below: The supplier of our POS application will only deliver an application that is hard-coded to run in a 1024:768 4:3 format. The hardware we are using is a POS unit from HP that has a built-in 16:9 touch-screen. The employees using this solution is not supposed to see nor have access to anything but the POS application. Our sales organization demands that touch is an available feature when going live with the new POS environment. Going further into this, allow me to explain what we have encountered on the way trying to achieve the goal of having a touch-screen: We've simply change...
Read more

Актюбинская область

Image
область Актюбинская область каз. Ақтөбе облысы Герб Страна Казахстан Входит в Западный Казахстан Включает 1 город областного значения, 7 городов районного подчинения, 12 районов, 372 сельских населенных пункта Административный центр Актобе Дата образования 10 марта 1932 года Аким области Бердыбек Сапарбаев Официальные языки казахский, русский Население 854 520 [1]  чел. ( 2017 )(4,72 %, 7-е место ) Плотность 2,88 чел./км² (14-е место) Национальный состав казахи, русские, украинцы, татары и пр. Площадь 300 629 км² (11 %, 2-е место ) Высота · Максимальная 657 м Часовой пояс UTC+5 Аббревиатура АКТ Код ISO 3166-2 KZ-AKT Телефонный код +7 713 Почтовые индексы 03xxxx Код автом. номеров D, 04 Официальный сайт blank300.png|300px]] [[file:blank300.png  Аудио, фото и видео на Викискладе Актю́бинская о́бласть (каз. Ақ...
Read more