Domain Controller Granular Event Log Delegation

Posted on Posted in Active Directory, Microsoft, Powershell

So you’ve combed through 7 year old TechNet forum posts, cursed the limitations of Event Log Readers group when trying to use Get-WinEvent, and then tried to decipher SDDL to no avail.  A treatment for all those woes:

The basic gist here is that the CustomSD registry value will contain your new permissions and the specified event log registry key will also have an ACE set on it allowing the principle read access.  Some basic error checking is included and this will support whatif switch properly.  One minor note – the DC security log still cannot be written to by a custom script even if you use RW as the permission.