Domain Controller Granular Event Log Delegation

So you’ve combed through 7 year old TechNet forum posts, cursed the limitations of Event Log Readers group when trying to use Get-WinEvent, and then tried to decipher SDDL to no avail.  A treatment for all those woes:

function Add-EventLogAccess {
      [ValidateScript({Get-ADObject -ld "(samaccountname=$_)"})]

    #get original permissions in SDDL format
    $origValue = ((wevtutil.exe gl $LogName | ? {$_ -match '^channelAccess'}) -split ': ')[-1].trim()

    #create new SDDL syntax
      'RO' {$PermissionHex = '0x1'}
      'RW' {$PermissionHex = '0x3'}
    $ADsid = (Get-ADObject -ld "(samaccountname=$Identity)" -prop ObjectSid).ObjectSid.Value
    if($origValue -match $ADsid){write-host "$ADsid already set in SDDL, manual inspection required`nCurrent Value: $origValue" -f yellow; return}
    $newValue = "$origValue(A;;$PermissionHex;;;$ADsid)”
    write-host "CustomSD original value:  $origValue"
    write-host "CustomSD new value:  $newValue"
    $Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Eventlog\$logName"
    if($PSCmdlet.ShouldProcess("$logname log with value $newValue","Set-ItemProperty")){
      #NOTE removing customSD allows channelaccess to return to default, verified with wevutil.exe gl $LogName
      Set-ItemProperty -Path $path -Name 'CustomSD' -Value $newValue -Type string -ErrorAction Stop -Force 

      $regACL = Get-Acl $Path
      if($regacl.Access | ? {$_.identityreference -like "*$Identity" -and $_.RegistryRights -eq 'ReadKey' -and $_.AccessControlType -eq 'Allow'}){
        write-host "`n$Identity already has ability to read $Path" -f Yellow
        write-host "`nAdd $Identity permission to $path" -f Green
        $rule = New-Object System.Security.AccessControl.RegistryAccessRule($Identity,'ReadKey','ContainerInherit,ObjectInherit','None','Allow')
        Set-Acl -AclObject $regACL -Path $regACL.Path -ErrorAction Stop
    throw $_


Add-EventLogAccess -Identity 'MY_AD_GROUP' -LogName Security -Permission RO

The basic gist here is that the CustomSD registry value will contain your new permissions and the specified event log registry key will also have an ACE set on it allowing the principle read access.  Some basic error checking is included and this will support whatif switch properly.  One minor note – the DC security log still cannot be written to by a custom script even if you use RW as the permission.