Re: Event viewer security issue

From: Feng Mao (fengmao_at_online.microsoft.com)
Date: 08/12/04 

Date: Thu, 12 Aug 2004 02:39:58 GMT

Hi John,

Thank you for posting back!

As re-creating the event log file cannot solve the problem, I would like to
collect some information for further troubleshooting.

1. Click Start, point to Run, type "CMD" (without qutotation marks) and
press Enter. Type the command "WHOAMII /Groups" (without quotation marks)
and press Enter. May I know what kind of Groups the logon user belongs to?

2. Can local Adminitrator account open the Eventlog?

3. Please take a look at the permissions on
HKEY_LOCAL_MACHINE\System\CSS\Services|Eventlog and Systemlog keys to make
it sure that the logon user has the permission to access it.

Action Plan
=========
On the Windows 2003 domain controller, please perform the following steps:
1. Start the Active Directory Users and Computers tool, right-click the
Domain Controllers container, and then click Properties.

2. Click the Group Policies tab, click the Default Domain Controllers
policy, and then click Edit.

3. Expand the following items in the policy:

                Computer Configuration
                
                Windows Settings
                
                Security Settings
                
                Event log
                
4. Double-click "Prevent local guests group from accessing application
log", change it to Not Defined. Repeat the steps to change the policies
below:
Prevent local guests group from accessing security log
Prevent local guests group from accessing system log

5. Click OK in each dialog box or window to quit the policy editor.

In addition, please check the following registry keys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application
Name: RestrictGuestAccess
Type: REG_DWORD
Value: 1

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System
Name: RestrictGuestAccess
Type: REG_DWORD
Value: 1

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Security
Name: RestrictGuestAccess
Type: REG_DWORD
Value: 1

..

Please change the restrictguestaccess registry value to 0. Close the
registry editor and then restart the server.

Have a good day!

Thanks & Regards,

Feng Mao [MSFT], MCSE
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: John <jschaaf@wyseadv.com>
| Subject: Re: Event viewer security issue
| User-Agent: 40tude_Dialog/2.0.12.1
| MIME-Version: 1.0
| Content-Type: text/plain; charset="us-ascii"
| Content-Transfer-Encoding: 7bit
| Sender: jschaaf@wyseadv.com
| Reply-To: jschaaf@wyseadv.com
| Organization: Wyse Advertising, Inc.
| References: <19109zie7ptn8.1jwfsc725vfvz$.dlg@40tude.net>
<ZCOktD6eEHA.2932@cpmsftngxa06.phx.gbl>
| Date: Wed, 11 Aug 2004 08:31:59 -0400
| Message-ID: <37cy25ye3sej$.umim0xuiuodp$.dlg@40tude.net>
| Newsgroups: microsoft.public.windows.server.general
| NNTP-Posting-Host: email-server.wyseadv.com 207.54.171.78
| Lines: 1
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.windows.server.general:42066
| X-Tomcat-NG: microsoft.public.windows.server.general
|
| On Fri, 06 Aug 2004 10:33:57 GMT, Feng Mao wrote:
|
| > Hi John,
| >
| > Thank you for posting!
| >
| > I have some additional information, if the Windows Server 2003 is not a
| > Domian Controller, registry modifcations can be made to resolve this:
| >
| > By reseting the restrictguestaccess registry value to 0 for the
| > application, system and dns logs under the following registry key.
| >
| > HKLM\System\CurrentControlSet\Services\EventLog
| >
| > After that, reboot the server.
| >
| > Have a good day!
| >
| > Thanks & Regards,
| >
| > Feng Mao [MSFT], MCSE
| > Microsoft Online Partner Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > When responding to posts, please "Reply to Group" via your newsreader
so
| > that others may learn and benefit from your issue.
| > =====================================================
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| >
| >
| > --------------------
| >| From: John <jschaaf@wyseadv.com>
| >| Subject: Event viewer security issue
| >| User-Agent: 40tude_Dialog/2.0.12.1
| >| MIME-Version: 1.0
| >| Content-Type: text/plain; charset="us-ascii"
| >| Content-Transfer-Encoding: 7bit
| >| Sender: jschaaf@wyseadv.com
| >| Reply-To: jschaaf@wyseadv.com
| >| Organization: Wyse Advertising, Inc.
| >| Date: Thu, 5 Aug 2004 14:25:51 -0400
| >| Message-ID: <19109zie7ptn8.1jwfsc725vfvz$.dlg@40tude.net>
| >| Newsgroups: microsoft.public.windows.server.general
| >| NNTP-Posting-Host: email-server.wyseadv.com 207.54.171.78
| >| Lines: 1
| >| Path:
| >
cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!tk2msftngp13
| > .phx.gbl
| >| Xref: cpmsftngxa06.phx.gbl
microsoft.public.windows.server.general:41612
| >| X-Tomcat-NG: microsoft.public.windows.server.general
| >|
| >| On our Win2003 server, we are unable to view any of the files in Event
| >| viewer other than Security. When we click on any of them, I.E.
| >| Applications, we get the following error: Unable to complete the
operation
| >| on "Applications". Access is denied. This sounds like a security
issue,
| >| but we are logged in as Administrator, and we have checked the
security on
| >| the associated Event Viewer files and we have full rights to the files.
| >| The files are in c:\windows\system32\config.
| >|
| >| Thansk for the help.
| >|
| >| John.
| >|
|
| Thanks for your replies Dave Patrick and Feng Mao.
|
| Feng, our server is a Domain controller so we will not try your solution.
|
| Dave, we did try what you suggested. The server recreated the files and
we
| still get the same error message.
|
| Any more suggestions?
|
| Thanks.
| John.
|

Loading