Re: Remote Event Log

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Hi,

simonm schrieb:
I have a domain controller running W2K3 R2 with a several XP machine on
the domain. I have a service running SYSTEM on those XP box that can start
processes. I need to setup the policy and permission on the Controller so
those processes (running SYSTEM) can create remote event on the controller
into my custom event log. It was working on a different setup where the
controller was a w2K box!

It´s because of the change in security to eventlog announced in W2K3 SP1.

It can be change by security template
http://support.microsoft.com/default.aspx?scid=kb;en-us;323076
.... not my favorite, because you need to change it locally on every
client/server, where you want to "see" or "change" the setting.
(even if you don not see it, it is still active ...)

or my favorite: Doing it by ADM Template
because it is universal and in my opinion more flexible.

You can manipulate the "CustomSD" manually of course, but if it is
more than one server it would be easier with a policy.

My guess: The actual permissions on your eventlog are:
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)

Change (A;;0xf0007;;;SY) to (A;;0x3;;;SY) to give read/write access.

If this doesn´t help, you can extand this list and add a selfcreated
security group an run the service with a member of this group.

an ADM xould look like this:
---- eventlogperm.adm ----
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
CLASS MACHINE ;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

CATEGORY "Eventlog Permissions"

POLICY "My Eventlog"
KEYNAME "System\CurrentControlSet\Services\Eventlog\NameofEventlog"
PART "Permissions on NameofEventlog" EDITTEXT
DEFAULT
"O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)"
VALUENAME CustomSD
END PART
END POLICY

END CATEGORY

; Change the Keyname to your settings ...
; the Default is the MS Default setting. Add/change it ...
---- eventlogperm.adm ----


Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy

Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
.

Relevant Pages

  • Re: Published application - what rights does the user need
    ... I have tried to change the entire setup since the last ... I am missing something on permissions and the ... Apply Group Policy ... particular computer account and user account have Full control ...
    (microsoft.public.windows.server.active_directory)
  • Re: [RFC][PATCH] Privilege dropping security module
    ... dpriv.c contains the struct security_operations hooks for dpriv. ... You're masking file permissions. ... And stick with your namespace, ... * Parse policy lines one at a time. ...
    (Linux-Kernel)
  • Re: Remote Event Log
    ... I need to setup the policy and permission on the Controller so ... It´s because of the change in security to eventlog announced in W2K3 SP1. ... Doing it by ADM Template ... My guess: The actual permissions on your eventlog are: ...
    (microsoft.public.windows.group_policy)
  • [RFC][PATCH] Privilege dropping security module
    ... dpriv.c contains the struct security_operations hooks for dpriv. ... * under the terms of the GNU General Public License as published by the Free ... * Parse policy lines one at a time. ... * Open file descriptors and their implied permissions based on @policy ...
    (Linux-Kernel)
  • Re: Access to Network and Dial-Up Connections blocked
    ... John John wrote: ... if a NoPropertiesMyComputer policy exists: ... I re-enabled Remove Network Connection from ... If this is a permissions issue check and make sure that you have ...
    (microsoft.public.win2000.general)