I'm trying to grant permissions to the Network Service account (SID S-1-5-20) on the event log "Microsoft-Windows-CAPI2/Operational" (see picture below). However I need to push this change on more than 1000 servers, and more are coming. So my solution has to be linked somehow to a GPO (I trying to avoid the usage of a script with the GPO for technical reasons).
According the instructions from Microsoft, you have to:
- Create a new registry key named "CustomSD" under the concerned event log key in 'HKLM:\SYSTEM\CurrentControlSet\services\eventlog\custom_log'
- Create a string "CustomSD" with the proper permissions defined in the SSDL
format: O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-20) - Restart the host and verify permissions
However, when I reboot the host and I check the permissions using the following commands, I can see that the new permissions are not applied:
wevtutil get-log "Microsoft-Windows-CAPI2/Operational" OR
Get-WinEvent -ListLog "Microsoft-Windows-CAPI2/Operational" | Format-List -Property *
Where I am confused is that only the following keys related to the main event logs are available in : 'HKLM:\SYSTEM\CurrentControlSet\services\eventlog\'
And in my case I have tried to :
- create a new registry key in 'HKLM:\SYSTEM\CurrentControlSet\services\eventlog\CAPI2" >> did not work
- create the registry key in the following path
'HKLM:\SYSTEM\CurrentControlSet\services\eventlog\application\Microsoft-Windows-CAPI2' since the name of the event log was present >> did not work
So my point is that I do not understand why the permissions are not updated. Am I doing something wrong ? I have also checked the following link but it seeems that it applies only on the event log available in 'HKLM:\SYSTEM\CurrentControlSet\services\eventlog\'.
Best Answer
Thanks to the great answer from @GregAskew, I was able to push event log permissions over GPO. My steps were: