Permissions changes on Windows event log are not working (GPO change) The 2019 Stack Overflow Developer Survey Results Are InRegistry entry missing for msexchangeDSAccess exchange 2010How do I fix a custom Event Viewer Log that merges automatically with the Application log?New event log nowhere to be found after creating in PowerShellWMI command line event log acesswindows event log forwarding permissionArchiving event logs with wevtutil al not working for some sourcesEvent log error for Microsoft-Windows-Perflib ID 1008Windows registry subkey creation not generating logs (Windows event ID 4657)Windows 10 1809 - Region/language registry keysEvent Descriptions Missing From Get-EventLog but present in Get-WinEvent and Event Viewer
Did 3000BC Egyptians use meteoric iron weapons?
Resizing object distorts it (Illustrator CC 2018)
One word riddle: Vowel in the middle
slides for 30min~1hr skype tenure track application interview
Are spiders unable to hurt humans, especially very small spiders?
Can you compress metal and what would be the consequences?
What does Linus Torvalds mean when he says that Git "never ever" tracks a file?
Can a rogue use sneak attack with weapons that have the thrown property even if they are not thrown?
Which Sci-Fi work first showed weapon of galactic-scale mass destruction?
Is a "Democratic" Oligarchy-Style System Possible?
Aging parents with no investments
Deal with toxic manager when you can't quit
Reference request: Oldest number theory books with (unsolved) exercises?
Feature engineering suggestion required
Multiply Two Integer Polynomials
What tool would a Roman-age civilization have for the breaking of silver and other metals into dust?
How to save as into a customized destination on macOS?
Is three citations per paragraph excessive for undergraduate research paper?
Is "plugging out" electronic devices an American expression?
Why isn't airport relocation done gradually?
Do these rules for Critical Successes and Critical Failures seem fair?
"as much details as you can remember"
Is there a symbol for a right arrow with a square in the middle?
Does a dangling wire really electrocute me if I'm standing in water?
Permissions changes on Windows event log are not working (GPO change)
The 2019 Stack Overflow Developer Survey Results Are InRegistry entry missing for msexchangeDSAccess exchange 2010How do I fix a custom Event Viewer Log that merges automatically with the Application log?New event log nowhere to be found after creating in PowerShellWMI command line event log acesswindows event log forwarding permissionArchiving event logs with wevtutil al not working for some sourcesEvent log error for Microsoft-Windows-Perflib ID 1008Windows registry subkey creation not generating logs (Windows event ID 4657)Windows 10 1809 - Region/language registry keysEvent Descriptions Missing From Get-EventLog but present in Get-WinEvent and Event Viewer
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I'm trying to grant permissions to the Network Service account (SID S-1-5-20) on the event log "Microsoft-Windows-CAPI2/Operational" (see picture below). However I need to push this change on more than 1000 servers, and more are coming. So my solution has to be linked somehow to a GPO (I trying to avoid the usage of a script with the GPO for technical reasons).
According the instructions from Microsoft, you have to:
- Create a new registry key named "CustomSD" under the concerned event log key in 'HKLM:SYSTEMCurrentControlSetserviceseventlogcustom_log'
- Create a string "CustomSD" with the proper permissions defined in the SSDL
format: O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-20) - Restart the host and verify permissions
However, when I reboot the host and I check the permissions using the following commands, I can see that the new permissions are not applied:
wevtutil get-log "Microsoft-Windows-CAPI2/Operational" OR
Get-WinEvent -ListLog "Microsoft-Windows-CAPI2/Operational" | Format-List -Property *
Where I am confused is that only the following keys related to the main event logs are available in : 'HKLM:SYSTEMCurrentControlSetserviceseventlog'
And in my case I have tried to :
- create a new registry key in 'HKLM:SYSTEMCurrentControlSetserviceseventlogCAPI2" >> did not work
- create the registry key in the following path
'HKLM:SYSTEMCurrentControlSetserviceseventlogapplicationMicrosoft-Windows-CAPI2' since the name of the event log was present >> did not work
So my point is that I do not understand why the permissions are not updated. Am I doing something wrong ? I have also checked the following link but it seeems that it applies only on the event log available in 'HKLM:SYSTEMCurrentControlSetserviceseventlog'.
permissions windows-event-log windows-registry
asked 15 hours ago
Michel de CrevoisierMichel de Crevoisier
35816
add a comment |
I'm trying to grant permissions to the Network Service account (SID S-1-5-20) on the event log "Microsoft-Windows-CAPI2/Operational" (see picture below). However I need to push this change on more than 1000 servers, and more are coming. So my solution has to be linked somehow to a GPO (I trying to avoid the usage of a script with the GPO for technical reasons).
According the instructions from Microsoft, you have to:
- Create a new registry key named "CustomSD" under the concerned event log key in 'HKLM:SYSTEMCurrentControlSetserviceseventlogcustom_log'
- Create a string "CustomSD" with the proper permissions defined in the SSDL
format: O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-20) - Restart the host and verify permissions
However, when I reboot the host and I check the permissions using the following commands, I can see that the new permissions are not applied:
wevtutil get-log "Microsoft-Windows-CAPI2/Operational" OR
Get-WinEvent -ListLog "Microsoft-Windows-CAPI2/Operational" | Format-List -Property *
Where I am confused is that only the following keys related to the main event logs are available in : 'HKLM:SYSTEMCurrentControlSetserviceseventlog'
And in my case I have tried to :
- create a new registry key in 'HKLM:SYSTEMCurrentControlSetserviceseventlogCAPI2" >> did not work
- create the registry key in the following path
'HKLM:SYSTEMCurrentControlSetserviceseventlogapplicationMicrosoft-Windows-CAPI2' since the name of the event log was present >> did not work
So my point is that I do not understand why the permissions are not updated. Am I doing something wrong ? I have also checked the following link but it seeems that it applies only on the event log available in 'HKLM:SYSTEMCurrentControlSetserviceseventlog'.
permissions windows-event-log windows-registry
asked 15 hours ago
Michel de CrevoisierMichel de Crevoisier
35816
add a comment |
I'm trying to grant permissions to the Network Service account (SID S-1-5-20) on the event log "Microsoft-Windows-CAPI2/Operational" (see picture below). However I need to push this change on more than 1000 servers, and more are coming. So my solution has to be linked somehow to a GPO (I trying to avoid the usage of a script with the GPO for technical reasons).
According the instructions from Microsoft, you have to:
- Create a new registry key named "CustomSD" under the concerned event log key in 'HKLM:SYSTEMCurrentControlSetserviceseventlogcustom_log'
- Create a string "CustomSD" with the proper permissions defined in the SSDL
format: O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-20) - Restart the host and verify permissions
However, when I reboot the host and I check the permissions using the following commands, I can see that the new permissions are not applied:
wevtutil get-log "Microsoft-Windows-CAPI2/Operational" OR
Get-WinEvent -ListLog "Microsoft-Windows-CAPI2/Operational" | Format-List -Property *
Where I am confused is that only the following keys related to the main event logs are available in : 'HKLM:SYSTEMCurrentControlSetserviceseventlog'
And in my case I have tried to :
- create a new registry key in 'HKLM:SYSTEMCurrentControlSetserviceseventlogCAPI2" >> did not work
- create the registry key in the following path
'HKLM:SYSTEMCurrentControlSetserviceseventlogapplicationMicrosoft-Windows-CAPI2' since the name of the event log was present >> did not work
So my point is that I do not understand why the permissions are not updated. Am I doing something wrong ? I have also checked the following link but it seeems that it applies only on the event log available in 'HKLM:SYSTEMCurrentControlSetserviceseventlog'.
permissions windows-event-log windows-registry
asked 15 hours ago
Michel de CrevoisierMichel de Crevoisier
35816
I'm trying to grant permissions to the Network Service account (SID S-1-5-20) on the event log "Microsoft-Windows-CAPI2/Operational" (see picture below). However I need to push this change on more than 1000 servers, and more are coming. So my solution has to be linked somehow to a GPO (I trying to avoid the usage of a script with the GPO for technical reasons).
According the instructions from Microsoft, you have to:
- Create a new registry key named "CustomSD" under the concerned event log key in 'HKLM:SYSTEMCurrentControlSetserviceseventlogcustom_log'
- Create a string "CustomSD" with the proper permissions defined in the SSDL
format: O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-20) - Restart the host and verify permissions
However, when I reboot the host and I check the permissions using the following commands, I can see that the new permissions are not applied:
wevtutil get-log "Microsoft-Windows-CAPI2/Operational" OR
Get-WinEvent -ListLog "Microsoft-Windows-CAPI2/Operational" | Format-List -Property *
Where I am confused is that only the following keys related to the main event logs are available in : 'HKLM:SYSTEMCurrentControlSetserviceseventlog'
And in my case I have tried to :
- create a new registry key in 'HKLM:SYSTEMCurrentControlSetserviceseventlogCAPI2" >> did not work
- create the registry key in the following path
'HKLM:SYSTEMCurrentControlSetserviceseventlogapplicationMicrosoft-Windows-CAPI2' since the name of the event log was present >> did not work
So my point is that I do not understand why the permissions are not updated. Am I doing something wrong ? I have also checked the following link but it seeems that it applies only on the event log available in 'HKLM:SYSTEMCurrentControlSetserviceseventlog'.
permissions windows-event-log windows-registry
permissions windows-event-log windows-registry
asked 15 hours ago
Michel de CrevoisierMichel de Crevoisier
35816
asked 15 hours ago
Michel de CrevoisierMichel de Crevoisier
35816
edited 13 hours ago
Michel de Crevoisier
asked 15 hours ago
Michel de CrevoisierMichel de Crevoisier
35816
asked 15 hours ago
Michel de CrevoisierMichel de Crevoisier
35816
asked 15 hours ago
Michel de CrevoisierMichel de Crevoisier
35816
35816
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
I use wevtutil to set the permissions:
wevtutil set-log "Microsoft-Windows-CAPI2/Operational" /channelaccess:O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-20)
wevtutil get-log "Microsoft-Windows-CAPI2/Operational"
name: Microsoft-Windows-CAPI2/Operational
enabled: false
type: Operational
owningPublisher: Microsoft-Windows-CAPI2
isolation: Application
channelAccess: O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-20)
logging:
logFileName: %SystemRoot%System32WinevtLogsMicrosoft-Windows-CAPI2%4Operational.evtx
retention: false
autoBackup: false
maxSize: 1052672
publishing:
fileMax: 1
answered 14 hours ago
Greg AskewGreg Askew
29.1k33768
Hi Greg, thansk for the answer. However I did not mention that I need to have this solution builtin into a GPO. Of course I could use a script that execute your command, but for technical constraint, I trying to avoid a script method. Pushing registry keys over per GPO would be the easiest solution.
– Michel de Crevoisier
13 hours ago
Then you should create a registry preference for Key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionWINEVTChannelsMicrosoft-Windows-CAPI2/Operational Value: ChannelAccess
– Greg Askew
10 hours ago
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962417%2fpermissions-changes-on-windows-event-log-are-not-working-gpo-change%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I use wevtutil to set the permissions:
wevtutil set-log "Microsoft-Windows-CAPI2/Operational" /channelaccess:O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-20)
wevtutil get-log "Microsoft-Windows-CAPI2/Operational"
name: Microsoft-Windows-CAPI2/Operational
enabled: false
type: Operational
owningPublisher: Microsoft-Windows-CAPI2
isolation: Application
channelAccess: O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-20)
logging:
logFileName: %SystemRoot%System32WinevtLogsMicrosoft-Windows-CAPI2%4Operational.evtx
retention: false
autoBackup: false
maxSize: 1052672
publishing:
fileMax: 1
answered 14 hours ago
Greg AskewGreg Askew
29.1k33768
Hi Greg, thansk for the answer. However I did not mention that I need to have this solution builtin into a GPO. Of course I could use a script that execute your command, but for technical constraint, I trying to avoid a script method. Pushing registry keys over per GPO would be the easiest solution.
– Michel de Crevoisier
13 hours ago
Then you should create a registry preference for Key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionWINEVTChannelsMicrosoft-Windows-CAPI2/Operational Value: ChannelAccess
– Greg Askew
10 hours ago
add a comment |
I use wevtutil to set the permissions:
wevtutil set-log "Microsoft-Windows-CAPI2/Operational" /channelaccess:O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-20)
wevtutil get-log "Microsoft-Windows-CAPI2/Operational"
name: Microsoft-Windows-CAPI2/Operational
enabled: false
type: Operational
owningPublisher: Microsoft-Windows-CAPI2
isolation: Application
channelAccess: O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-20)
logging:
logFileName: %SystemRoot%System32WinevtLogsMicrosoft-Windows-CAPI2%4Operational.evtx
retention: false
autoBackup: false
maxSize: 1052672
publishing:
fileMax: 1
answered 14 hours ago
Greg AskewGreg Askew
29.1k33768
Hi Greg, thansk for the answer. However I did not mention that I need to have this solution builtin into a GPO. Of course I could use a script that execute your command, but for technical constraint, I trying to avoid a script method. Pushing registry keys over per GPO would be the easiest solution.
– Michel de Crevoisier
13 hours ago
Then you should create a registry preference for Key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionWINEVTChannelsMicrosoft-Windows-CAPI2/Operational Value: ChannelAccess
– Greg Askew
10 hours ago
add a comment |
I use wevtutil to set the permissions:
wevtutil set-log "Microsoft-Windows-CAPI2/Operational" /channelaccess:O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-20)
wevtutil get-log "Microsoft-Windows-CAPI2/Operational"
name: Microsoft-Windows-CAPI2/Operational
enabled: false
type: Operational
owningPublisher: Microsoft-Windows-CAPI2
isolation: Application
channelAccess: O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-20)
logging:
logFileName: %SystemRoot%System32WinevtLogsMicrosoft-Windows-CAPI2%4Operational.evtx
retention: false
autoBackup: false
maxSize: 1052672
publishing:
fileMax: 1
answered 14 hours ago
Greg AskewGreg Askew
29.1k33768
I use wevtutil to set the permissions:
wevtutil set-log "Microsoft-Windows-CAPI2/Operational" /channelaccess:O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-20)
wevtutil get-log "Microsoft-Windows-CAPI2/Operational"
name: Microsoft-Windows-CAPI2/Operational
enabled: false
type: Operational
owningPublisher: Microsoft-Windows-CAPI2
isolation: Application
channelAccess: O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-20)
logging:
logFileName: %SystemRoot%System32WinevtLogsMicrosoft-Windows-CAPI2%4Operational.evtx
retention: false
autoBackup: false
maxSize: 1052672
publishing:
fileMax: 1
answered 14 hours ago
Greg AskewGreg Askew
29.1k33768
answered 14 hours ago
Greg AskewGreg Askew
29.1k33768
answered 14 hours ago
Greg AskewGreg Askew
29.1k33768
answered 14 hours ago
Greg AskewGreg Askew
29.1k33768
29.1k33768
Hi Greg, thansk for the answer. However I did not mention that I need to have this solution builtin into a GPO. Of course I could use a script that execute your command, but for technical constraint, I trying to avoid a script method. Pushing registry keys over per GPO would be the easiest solution.
– Michel de Crevoisier
13 hours ago
Then you should create a registry preference for Key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionWINEVTChannelsMicrosoft-Windows-CAPI2/Operational Value: ChannelAccess
– Greg Askew
10 hours ago
add a comment |
Hi Greg, thansk for the answer. However I did not mention that I need to have this solution builtin into a GPO. Of course I could use a script that execute your command, but for technical constraint, I trying to avoid a script method. Pushing registry keys over per GPO would be the easiest solution.
– Michel de Crevoisier
13 hours ago
Then you should create a registry preference for Key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionWINEVTChannelsMicrosoft-Windows-CAPI2/Operational Value: ChannelAccess
– Greg Askew
10 hours ago
Hi Greg, thansk for the answer. However I did not mention that I need to have this solution builtin into a GPO. Of course I could use a script that execute your command, but for technical constraint, I trying to avoid a script method. Pushing registry keys over per GPO would be the easiest solution.
– Michel de Crevoisier
13 hours ago
Hi Greg, thansk for the answer. However I did not mention that I need to have this solution builtin into a GPO. Of course I could use a script that execute your command, but for technical constraint, I trying to avoid a script method. Pushing registry keys over per GPO would be the easiest solution.
– Michel de Crevoisier
13 hours ago
Then you should create a registry preference for Key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionWINEVTChannelsMicrosoft-Windows-CAPI2/Operational Value: ChannelAccess
– Greg Askew
10 hours ago
Then you should create a registry preference for Key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionWINEVTChannelsMicrosoft-Windows-CAPI2/Operational Value: ChannelAccess
– Greg Askew
10 hours ago
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962417%2fpermissions-changes-on-windows-event-log-are-not-working-gpo-change%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
