Subject: Security Event Log reading by Domain Users

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Is it possible to normally read Sec. Event Log under Domain User account?
We wrote a simple application which reads 538, 540, 528, etc. events and counts them.
Under administrative account it works fine, but under Domain User can't open sec. log.
Adding a "Manage auditing and sec. log" and "Act as the part of oper. system" settings via GP
permits to view sec. log, but events are read like
"The description for Event ID ( 538 ) in Source ( Security ) cannot be found. The local computer may
not have the necessary registry information or message DLL files to display messages from a remote
computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and
Support for details. The following information is part of the event: pmtest; COMPANY; (0x0,0x5A968);
11."
Thus, our software doesn't work - it can't read the events.

I added all possible rights to the Domain User account, from "Create a Token Object" to "Generate
Security audits", but no luck.
I heard that domain user account maybe need some rights to read some reg. key with Event Log message
library, but I don't know which exactly...

Is it possible to make this work?


Thanks,
Gera, MCSE
MGBaltic

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Security logs are locked off from non-admins by default. You only need to add
Manage Auditing and Security Log right to see them, however that means that
account will also be able to clear the security log. In XP and 2K3 you can get
more granular and just offer read.

However your next issue is because the program can't read the Message Library or
the registry entries involved. It has been a long time since I wrote event log
code but if you are using the standard OpenEventLog/ReadEventLog and then using
FormatMessage you will need to redirect the library from which you do the
LoadLibrary for for the message IDs OR open up the security to the message
library on the remote machine.

joe


--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net



Gera wrote:
> Is it possible to normally read Sec. Event Log under Domain User account?
> We wrote a simple application which reads 538, 540, 528, etc. events and counts them.
> Under administrative account it works fine, but under Domain User can't open sec. log.
> Adding a "Manage auditing and sec. log" and "Act as the part of oper. system" settings via GP
> permits to view sec. log, but events are read like
> "The description for Event ID ( 538 ) in Source ( Security ) cannot be found. The local computer may
> not have the necessary registry information or message DLL files to display messages from a remote
> computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and
> Support for details. The following information is part of the event: pmtest; COMPANY; (0x0,0x5A968);
> 11."
> Thus, our software doesn't work - it can't read the events.
>
> I added all possible rights to the Domain User account, from "Create a Token Object" to "Generate
> Security audits", but no luck.
> I heard that domain user account maybe need some rights to read some reg. key with Event Log message
> library, but I don't know which exactly...
>
> Is it possible to make this work?
>
>
> Thanks,
> Gera, MCSE
> MGBaltic
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks for repsonse.
The point is, our "program" is a SQL script run trough Microsoft Log Parser.
Is it possible to solve the problem in this case (using MS LP and any Windows settings)
or we will need to rewrite an app in C++ using WinAPI functions?


Thanks,
--
Gera



"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:ekVsJLOaEHA.3716@TK2MSFTNGP11.phx.gbl...
> Security logs are locked off from non-admins by default. You only need to add
> Manage Auditing and Security Log right to see them, however that means that
> account will also be able to clear the security log. In XP and 2K3 you can get
> more granular and just offer read.
>
> However your next issue is because the program can't read the Message Library or
> the registry entries involved. It has been a long time since I wrote event log
> code but if you are using the standard OpenEventLog/ReadEventLog and then using
> FormatMessage you will need to redirect the library from which you do the
> LoadLibrary for for the message IDs OR open up the security to the message
> library on the remote machine.
>
> joe
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
>
> Gera wrote:
> > Is it possible to normally read Sec. Event Log under Domain User account?
> > We wrote a simple application which reads 538, 540, 528, etc. events and counts them.
> > Under administrative account it works fine, but under Domain User can't open sec. log.
> > Adding a "Manage auditing and sec. log" and "Act as the part of oper. system" settings via GP
> > permits to view sec. log, but events are read like
> > "The description for Event ID ( 538 ) in Source ( Security ) cannot be found. The local computer
may
> > not have the necessary registry information or message DLL files to display messages from a
remote
> > computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and
> > Support for details. The following information is part of the event: pmtest; COMPANY;
(0x0,0x5A968);
> > 11."
> > Thus, our software doesn't work - it can't read the events.
> >
> > I added all possible rights to the Domain User account, from "Create a Token Object" to
"Generate
> > Security audits", but no luck.
> > I heard that domain user account maybe need some rights to read some reg. key with Event Log
message
> > library, but I don't know which exactly...
> >
> > Is it possible to make this work?
> >
> >
> > Thanks,
> > Gera, MCSE
> > MGBaltic
> >
> >
> >
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Ah.

You can try making it so that the process can read the event log section of the
registry on that machine. That may work, alternatively you may have to do that
AND open it up so the remote process can get to %SystemRoot%\System32 on the
remote machine.


--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net



Gera wrote:
> Thanks for repsonse.
> The point is, our "program" is a SQL script run trough Microsoft Log Parser.
> Is it possible to solve the problem in this case (using MS LP and any Windows settings)
> or we will need to rewrite an app in C++ using WinAPI functions?
>
>
> Thanks,

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

> You can try making it so that the process can read the event log section of the registry on that
machine.
Could you explain how to achieve this? I mean, that we be able to use a Log Parser?

> That may work, alternatively you may have to do that
> AND open it up so the remote process can get to %SystemRoot%\System32 on the
> remote machine.
We do not need to run Log Parser remotely, only locally.
If it is possible fot you, please explain further, how could I let access to LogParser to registry
and so on to make it work normally without admin rights.


Thanks a lot,
Gera, MCSE
MGBaltic


"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:u0JVaYdaEHA.2576@TK2MSFTNGP10.phx.gbl...
> Ah.
>
> You can try making it so that the process can read the event log section of the
> registry on that machine. That may work, alternatively you may have to do that
> AND open it up so the remote process can get to %SystemRoot%\System32 on the
> remote machine.
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
>
> Gera wrote:
> > Thanks for repsonse.
> > The point is, our "program" is a SQL script run trough Microsoft Log Parser.
> > Is it possible to solve the problem in this case (using MS LP and any Windows settings)
> > or we will need to rewrite an app in C++ using WinAPI functions?
> >
> >
> > Thanks,

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

You are running the process directly on the server itself that you are reading
logs for? Then you just need to look at your perms on the eventlog section of
the registry and system32 and make sure the ID running the process has access.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net



Gera wrote:
>>You can try making it so that the process can read the event log section of the registry on that
>
> machine.
> Could you explain how to achieve this? I mean, that we be able to use a Log Parser?
>
>
>>That may work, alternatively you may have to do that
>>AND open it up so the remote process can get to %SystemRoot%\System32 on the
>>remote machine.
>
> We do not need to run Log Parser remotely, only locally.
> If it is possible fot you, please explain further, how could I let access to LogParser to registry
> and so on to make it work normally without admin rights.
>
>
> Thanks a lot,
> Gera, MCSE
> MGBaltic
>
>
> "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
> news:u0JVaYdaEHA.2576@TK2MSFTNGP10.phx.gbl...
>
>>Ah.
>>
>>You can try making it so that the process can read the event log section of the
>>registry on that machine. That may work, alternatively you may have to do that
>>AND open it up so the remote process can get to %SystemRoot%\System32 on the
>>remote machine.
>>
>>
>>--
>>Joe Richards Microsoft MVP Windows Server Directory Services
>>www.joeware.net
>>
>>
>>
>>Gera wrote:
>>
>>>Thanks for repsonse.
>>>The point is, our "program" is a SQL script run trough Microsoft Log Parser.
>>>Is it possible to solve the problem in this case (using MS LP and any Windows settings)
>>>or we will need to rewrite an app in C++ using WinAPI functions?
>>>
>>>
>>>Thanks,
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Gera,

Could you please advise if you found any solution as I am facing the
same problem.
Many thanks



--
Rustem
------------------------------------------------------------------------
Posted via http://www.mcse.ms
------------------------------------------------------------------------
View this thread: http://www.mcse.ms/message855064.html

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

I am not sure what you are asking but if you want to prevent domain users
from reading the security logs on their computers then either don't make
them a local administrator or if they have to be add their domain account to
the local guests group and use Group Policy to deny access to members of the
guests group to the security/application/system logs. A local administrator
could certainly remove themselves from the guests group if they knew what
they were doing though you can also use Group Policy Restricted Groups to
enforce membership of local groups on domain computers at the Organizational
Unit level so that the membership of the guests group would be enforced at
the next security policy refresh interval.. --- Steve



"Rustem" <Rustem.1s5pi0@mail.mcse.ms> wrote in message
news:Rustem.1s5pi0@mail.mcse.ms...
>
> Gera,
>
> Could you please advise if you found any solution as I am facing the
> same problem.
> Many thanks
>
>
>
> --
> Rustem
> ------------------------------------------------------------------------
> Posted via http://www.mcse.ms
> ------------------------------------------------------------------------
> View this thread: http://www.mcse.ms/message855064.html
>