Home > Uncategorized > Administer Event Log permissions via a Domain GPO

Administer Event Log permissions via a Domain GPO

Since we already know the robust way to administer Event Log permissions locally, here’s a method to implement them in a distributable, domain-wide GPO, so that you can apply the same policy to many servers.

If you want to distribute a “local security policy,” you can do so through a GPO, you would have to go through the process of exporting a local security policy, then importing this policy into the GPO.

Yes, that looks awful.  In order to avoid overwriting of an existing policy, we’ll hack away at the GptTmpl.inf and add our SDDLs in a similar manner as mentioned in administer Event Log permissions.

Find the event logs

First, let’s once again grab the event log names we want to administer:

reg query HKLM\System\CurrentcontrolSet\Services\eventlog

To target a remote machine use:

reg query \\remotemachine\HKLM\System\CurrentcontrolSet\Services\eventlog

The following is an example of the returned data:

HKEY_LOCAL_MACHINE\System\CurrentcontrolSet\Services\eventlog\Application
HKEY_LOCAL_MACHINE\System\CurrentcontrolSet\Services\eventlog\DFS Replication
HKEY_LOCAL_MACHINE\System\CurrentcontrolSet\Services\eventlog\Internet Explorer
HKEY_LOCAL_MACHINE\System\CurrentcontrolSet\Services\eventlog\Security
HKEY_LOCAL_MACHINE\System\CurrentcontrolSet\Services\eventlog\System

Find our group policy object’s GptTmpl.inf

The easiest way I know of to find a GPO’s directory, is to access that policy via gpedit.msc/gpmc.msc then through the following:

Computer Configuration\Windows Settings\Scripts (Startup/Shutdown)
Double click Startup
Click "Show Files"

An Explorer window will pop up with a path similar to the following:

\\DOMAIN.LOCAL\SysVol\DOMAIN.LOCAL\Policies\{policy-GUID}\Machine\Scripts\Startup

Traverse the directory structure, until you end up in:

\\DOMAIN.LOCAL\SysVol\DOMAIN.LOCAL\Policies\{policy-GUID}\Machine\Microsoft\Windows NT\SecEdit

And, voila, we have GptTmpl.inf

“But, Matt… I don’t have a GptTmpl.inf there!”

… you say, sadly wondering why you don’t have a Microsoft subdirectory in your Machine directory.  Have no fear!

Some times it’s worth hacking around, and some times it’s not.  At these latter times, I’d rather allow the system do the magic for me rather than possibly do the magic incorrectly, in this example, raising the chances of corrupting the Group Policy.  So we’ll allow the GPO Gods to create the GptTmpl.inf for us before editing.

Back in the gpedit.msc interface for the domain-wide GPO that you wish to add the Event Log Permissions to, traverse the policy tree to:

Computer Configuration\Windows Settings\Registry\

Add a key.

Interesting!  The contents of this window aren’t the good ol’ “HKEY_LOCAL_MACHINE” you’re so used to seeing.  It’s simply “MACHINE.” This is the actual raw access to the registry, not the virtualized name system you’re used to seeing in regedit.

Traverse the tree… add any key.

Close the gpedit.msc of the associated domain-wide GPO.

Edit the .inf directly

Now that you’ve followed the above, traverse back to the GPO’s GptTmpl.inf:

\\DOMAIN.LOCAL\SysVol\DOMAIN.LOCAL\Policies\{policy-GUID}\Machine\Microsoft\Windows NT\SecEdit

There it is!  You can now edit this file and add your SDDL entries as detailed in the previous article Administering Event Log permissions.

Remember, that unfortunately, there is no way to add registry value via the GUI for a GPO without the use of an ADM, so we have to replace the pre-populated entries in the GptTmpl.inf with those described in Administering Event Log permissions.

Open the GptTmpl.inf file and begin to follow theAdministering Event Log permissions article.

You should add the following header for a section:

[Registry Values]

Under this section enter the value as:

MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD=1,"[the SDDL]"

Where 1 is REG_SZ and “[the SDDL]” is the string value.  Pretty straight forward, and also very handy to administer other registry entries.  Why MSFT doesn’t expose this in a the GPO GUI, I’m not sure.

So, it stands the same… You must manually edit the GptTmpl.inf, but it’s pretty simple from there.

Remember you can use %stringvariables% as long as you include the [Strings] section to define these stringvariables=definition.

The settings are not hidden

Thanks to the group policy’s magic, these settings will show up in both RSOP scans as well as GPMC’s GUI interface on the Settings tab for the policy.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: