function Add-EventLogAccess {
[cmdletbinding(supportsshouldprocess=$true)]
param(
[ValidateScript({Get-ADObject -ld "(samaccountname=$_)"})]
[string]$Identity,
[ValidateSet('Application','Security','System')]
[string]$LogName,
[ValidateSet('RO','RW')]
[string]$Permission
)
try{
#get original permissions in SDDL format
$origValue = ((wevtutil.exe gl $LogName | ? {$_ -match '^channelAccess'}) -split ': ')[-1].trim()
#create new SDDL syntax
switch($Permission){
'RO' {$PermissionHex = '0x1'}
'RW' {$PermissionHex = '0x3'}
}
$ADsid = (Get-ADObject -ld "(samaccountname=$Identity)" -prop ObjectSid).ObjectSid.Value
if($origValue -match $ADsid){write-host "$ADsid already set in SDDL, manual inspection required`nCurrent Value: $origValue" -f yellow; return}
$newValue = "$origValue(A;;$PermissionHex;;;$ADsid)”
write-host "CustomSD original value: $origValue"
write-host "CustomSD new value: $newValue"
$Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Eventlog\$logName"
if($PSCmdlet.ShouldProcess("$logname log with value $newValue","Set-ItemProperty")){
#NOTE removing customSD allows channelaccess to return to default, verified with wevutil.exe gl $LogName
Set-ItemProperty -Path $path -Name 'CustomSD' -Value $newValue -Type string -ErrorAction Stop -Force
$regACL = Get-Acl $Path
if($regacl.Access | ? {$_.identityreference -like "*$Identity" -and $_.RegistryRights -eq 'ReadKey' -and $_.AccessControlType -eq 'Allow'}){
write-host "`n$Identity already has ability to read $Path" -f Yellow
}
else{
write-host "`nAdd $Identity permission to $path" -f Green
$rule = New-Object System.Security.AccessControl.RegistryAccessRule($Identity,'ReadKey','ContainerInherit,ObjectInherit','None','Allow')
$regACL.AddAccessRule($rule)
Set-Acl -AclObject $regACL -Path $regACL.Path -ErrorAction Stop
}
}
}
catch{
throw $_
}
}
Add-EventLogAccess -Identity 'MY_AD_GROUP' -LogName Security -Permission RO