Domain Controller Granular Event Log Delegation
So you’ve combed through 7 year old TechNet forum posts, cursed the limitations of Event Log Readers group when trying to use Get-WinEvent, and then tried to decipher SDDL to no avail. A treatment for all those woes:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
function Add-EventLogAccess { [cmdletbinding(supportsshouldprocess=$true)] param( [ValidateScript({Get-ADObject -ld "(samaccountname=$_)"})] [string]$Identity, [ValidateSet('Application','Security','System')] [string]$LogName, [ValidateSet('RO','RW')] [string]$Permission ) try{ #get original permissions in SDDL format $origValue = ((wevtutil.exe gl $LogName | ? {$_ -match '^channelAccess'}) -split ': ')[-1].trim() #create new SDDL syntax switch($Permission){ 'RO' {$PermissionHex = '0x1'} 'RW' {$PermissionHex = '0x3'} } $ADsid = (Get-ADObject -ld "(samaccountname=$Identity)" -prop ObjectSid).ObjectSid.Value if($origValue -match $ADsid){write-host "$ADsid already set in SDDL, manual inspection required`nCurrent Value: $origValue" -f yellow; return} $newValue = "$origValue(A;;$PermissionHex;;;$ADsid)” write-host "CustomSD original value: $origValue" write-host "CustomSD new value: $newValue" $Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Eventlog\$logName" if($PSCmdlet.ShouldProcess("$logname log with value $newValue","Set-ItemProperty")){ #NOTE removing customSD allows channelaccess to return to default, verified with wevutil.exe gl $LogName Set-ItemProperty -Path $path -Name 'CustomSD' -Value $newValue -Type string -ErrorAction Stop -Force $regACL = Get-Acl $Path if($regacl.Access | ? {$_.identityreference -like "*$Identity" -and $_.RegistryRights -eq 'ReadKey' -and $_.AccessControlType -eq 'Allow'}){ write-host "`n$Identity already has ability to read $Path" -f Yellow } else{ write-host "`nAdd $Identity permission to $path" -f Green $rule = New-Object System.Security.AccessControl.RegistryAccessRule($Identity,'ReadKey','ContainerInherit,ObjectInherit','None','Allow') $regACL.AddAccessRule($rule) Set-Acl -AclObject $regACL -Path $regACL.Path -ErrorAction Stop } } } catch{ throw $_ } } Add-EventLogAccess -Identity 'MY_AD_GROUP' -LogName Security -Permission RO |
The basic gist here is that the CustomSD registry value will contain your new permissions and […]