March 2019 – infiniteloop.io

Domain Controller Granular Event Log Delegation

Posted on March 23, 2019March 30, 2019 The LooperPosted in Active Directory, Microsoft, Powershell

So you’ve combed through 7 year old TechNet forum posts, cursed the limitations of Event Log Readers group when trying to use Get-WinEvent, and then tried to decipher SDDL to no avail. A treatment for all those woes:

function Add-EventLogAccess {
    [cmdletbinding(supportsshouldprocess=$true)]
    param(
      [ValidateScript({Get-ADObject -ld "(samaccountname=$_)"})]
      [string]$Identity,
      [ValidateSet('Application','Security','System')]
      [string]$LogName,
      [ValidateSet('RO','RW')]
      [string]$Permission
    )

  try{
    #get original permissions in SDDL format
    $origValue = ((wevtutil.exe gl $LogName | ? {$_ -match '^channelAccess'}) -split ': ')[-1].trim()

    #create new SDDL syntax
    switch($Permission){
      'RO' {$PermissionHex = '0x1'}
      'RW' {$PermissionHex = '0x3'}
    }
    
    $ADsid = (Get-ADObject -ld "(samaccountname=$Identity)" -prop ObjectSid).ObjectSid.Value
    if($origValue -match $ADsid){write-host "$ADsid already set in SDDL, manual inspection required`nCurrent Value: $origValue" -f yellow; return}
    
    $newValue = "$origValue(A;;$PermissionHex;;;$ADsid)”
    write-host "CustomSD original value:  $origValue"
    write-host "CustomSD new value:  $newValue"
    
    $Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Eventlog\$logName"
      
    if($PSCmdlet.ShouldProcess("$logname log with value $newValue","Set-ItemProperty")){
      #NOTE removing customSD allows channelaccess to return to default, verified with wevutil.exe gl $LogName
      Set-ItemProperty -Path $path -Name 'CustomSD' -Value $newValue -Type string -ErrorAction Stop -Force 

      $regACL = Get-Acl $Path
      if($regacl.Access | ? {$_.identityreference -like "*$Identity" -and $_.RegistryRights -eq 'ReadKey' -and $_.AccessControlType -eq 'Allow'}){
        write-host "`n$Identity already has ability to read $Path" -f Yellow
      }
      else{
        write-host "`nAdd $Identity permission to $path" -f Green
        $rule = New-Object System.Security.AccessControl.RegistryAccessRule($Identity,'ReadKey','ContainerInherit,ObjectInherit','None','Allow')
        $regACL.AddAccessRule($rule)
        Set-Acl -AclObject $regACL -Path $regACL.Path -ErrorAction Stop
      }
    }
  } 
  catch{
    throw $_
  }

}

Add-EventLogAccess -Identity 'MY_AD_GROUP' -LogName Security -Permission RO

function Add-EventLogAccess {

[cmdletbinding(supportsshouldprocess=$true)]

param(

[ValidateScript({Get-ADObject -ld "(samaccountname=$_)"})]

[string]$Identity,

[ValidateSet('Application','Security','System')]

[string]$LogName,

[ValidateSet('RO','RW')]

[string]$Permission

)

try{

#get original permissions in SDDL format

$origValue = ((wevtutil.exe gl $LogName | ? {$_ -match '^channelAccess'}) -split ': ')[-1].trim()

#create new SDDL syntax

switch($Permission){

'RO' {$PermissionHex = '0x1'}

'RW' {$PermissionHex = '0x3'}

}

$ADsid = (Get-ADObject -ld "(samaccountname=$Identity)" -prop ObjectSid).ObjectSid.Value

if($origValue -match $ADsid){write-host "$ADsid already set in SDDL, manual inspection required`nCurrent Value: $origValue" -f yellow; return}

$newValue = "$origValue(A;;$PermissionHex;;;$ADsid)”

write-host "CustomSD original value: $origValue"

write-host "CustomSD new value: $newValue"

$Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Eventlog\$logName"

if($PSCmdlet.ShouldProcess("$logname log with value $newValue","Set-ItemProperty")){

#NOTE removing customSD allows channelaccess to return to default, verified with wevutil.exe gl $LogName

Set-ItemProperty -Path $path -Name 'CustomSD' -Value $newValue -Type string -ErrorAction Stop -Force

$regACL = Get-Acl $Path

if($regacl.Access | ? {$_.identityreference -like "*$Identity" -and $_.RegistryRights -eq 'ReadKey' -and $_.AccessControlType -eq 'Allow'}){

write-host "`n$Identity already has ability to read $Path" -f Yellow

}

else{

write-host "`nAdd $Identity permission to $path" -f Green

$rule = New-Object System.Security.AccessControl.RegistryAccessRule($Identity,'ReadKey','ContainerInherit,ObjectInherit','None','Allow')

$regACL.AddAccessRule($rule)

Set-Acl -AclObject $regACL -Path $regACL.Path -ErrorAction Stop

}

catch{

throw $_

}

Add-EventLogAccess -Identity 'MY_AD_GROUP' -LogName Security -Permission RO

The basic gist here is that the CustomSD registry value will contain your new permissions and […]