如何授予对 Windows Server 2012 R2 应用程序事件日志的写访问权限

tag-icon tag-icon permissions windows-server-2012-r2 event-log
如何授予对 Windows Server 2012 R2 应用程序事件日志的写访问权限

我正在运行 Windows Server 2012 R2,并在其下运行 VMWare Workstation Pro。安装 Workstation 时,__vmware__将为 VMWare Workstation 用户创建用户组。我已将我的主机(即 Windows Server 2012 R2)用户帐户(用户成员,而不是管理员成员)添加到该__vmware__组中。

在主机上,我想在以我的用户帐户运行时在应用程序事件日志中创建与在 VMWare 下运行的虚拟机的状态相关的事件日志条目。

在主机的命令窗口中,我输入whoami \all并得到以下内容:

USER INFORMATION
----------------

User Name SID
========= ==============================================
mte\mike  S-1-5-21-1052476717-3500785571-2838594007-1118


GROUP INFORMATION
-----------------

Group Name                                 Type             SID
                           Attributes

========================================== ================ ====================
========================== =====================================================
==========
Everyone                                   Well-known group S-1-1-0
                           Mandatory group, Enabled by default, Enabled group

BUILTIN\Users                              Alias            S-1-5-32-545
                           Mandatory group, Enabled by default, Enabled group

BUILTIN\Certificate Service DCOM Access    Alias            S-1-5-32-574
                           Mandatory group, Enabled by default, Enabled group

BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554
                           Group used for deny only

NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4
                           Mandatory group, Enabled by default, Enabled group

CONSOLE LOGON                              Well-known group S-1-2-1
                           Mandatory group, Enabled by default, Enabled group

NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11
                           Mandatory group, Enabled by default, Enabled group

NT AUTHORITY\This Organization             Well-known group S-1-5-15
                           Mandatory group, Enabled by default, Enabled group

LOCAL                                      Well-known group S-1-2-0
                           Mandatory group, Enabled by default, Enabled group

Authentication authority asserted identity Well-known group S-1-18-1
                           Mandatory group, Enabled by default, Enabled group

MTE\__vmware__                             Alias            S-1-5-21-1052476717-
3500785571-2838594007-1131 Mandatory group, Enabled by default, Enabled group, L
ocal Group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192




PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

请注意,我的用户帐户是 的成员__vmware__,并且 SID 是S-1-5-21-1052476717-3500785571-2838594007-1131

从管理员帐户,我编辑以下注册表项:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application

并修改CustomSD条目如下:

O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)

在这里您可以看到该__vmware__组已被授予对应用程序事件日志的读写访问权限。

然而,当我尝试创建日志条目时:

eventcreate /SO TestEventMsg /Id 1 /D "This is a test message" /T INFORMATION /L Application

我收到“访问被拒绝”错误。

我做错了什么?

更新时间 2016-12-03

我尝试了用户 2304170 的建议,得到了以下结果:

PS C:\Users\Netadmin\Documents> ./GrantEventLogAccess.ps1 -Account '__vmware__' -LogName Application
Failed to save configuration or activate log Application. Access is denied.
name: Application
enabled: true
type: Admin
owningPublisher:
isolation: Application
channelAccess: O:BAG:SYD:(A;;0x3;;;S-1-5-21-1052476717-3500785571-2838594007-1131)(A;;0x2;;;S-1-15-2-1)(A;;0xf0007;;;SY)
(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573)
logging:
  logFileName: %SystemRoot%\System32\Winevt\Logs\Application.evtx
  retention: false
  autoBackup: false
  maxSize: 20971520
publishing:
  fileMax: 1
PS C:\Users\Netadmin\Documents>

答案1

为了在互联网上拼凑一些东西,我为其创建了这个小脚本:

<# 
    .SYNOPSIS   
        Add write permissions to the Windows Event Log for a specific AD object.

    .DESCRIPTION
        Add write permissions to the Windows Event Log for a specific AD object.

    .PARAMETER Account 
        Active directory object that needs write permissions.

    .PARAMETER LogName 
        Name of the log where we grant permissions

    .EXAMPLE
        ./script.ps! -Account 'Domain users' -LogName Application

    .NOTES
        CHANGELOG
        2016/09/12 Script born #>

Param (
    [String]$Account = 'Bob',
    [String]$LogName = 'Application'
)

Write-Verbose "Retrieving SID for account '$Account'"

$AdObj = New-Object System.Security.Principal.NTAccount($Account)
$SID = $AdObj.Translate([System.Security.Principal.SecurityIdentifier])
Write-Verbose "Found SID for account $($SID.Value)" 

$w = wevtutil gl $LogName
$channelAccess = $w[5]

if ($channelAccess.Contains('channelAccess:')) {

    $str = $channelAccess.Replace('channelAccess: ','')

    if ($str.Contains($SID.Value) -eq $false) {
        $newstr = $str +"(A;;0x3;;;"+$SID.Value+")"
        Write-Verbose "Adding '$newstr'" 
        wevtutil sl $LogName /ca:$newstr
        Write-Verbose "Update complete new value is"
        wevtutil gl $LogName
    }
    else {
        Write-Verbose "Update not needed"
    }
}

答案2

我还没有完整地测试过这一点,但如果你转到这个注册表项:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog

您可以右键单击 Eventlog 文件夹并向您允许访问的用户授予权限,或者您可以选择事件日志。

在此处输入图片描述

相关内容