I am having a bit of a strange error, seems like it's permissions related, though I have done a fair amount of searching and none of the suggestions have worked.
I have a powershell script, running directly on an Windows2012 DC. It attempts to get information from the EventViewer logs, specifically "Security", but all of a sudden the server is now (as of a few days ago) saying that "Get-EventLog: Requested access is not allowed".
It's a very simple command as well:
Get-Eventlog -Logname Security -Newest 1
But the result is the following:
Get-EventLog : Requested registry access is not allowed.
At line:1 char:1
+ Get-EventLog -Newest 1
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-EventLog], SecurityException
+ FullyQualifiedErrorId : System.Security.SecurityException,Microsoft.PowerShell.Commands.GetEventLogCommand
What I have attempted:
- Gave myself permission (made sure admins/server operators have full
access), also added "Everyone" temporarily. This was done in
RegEdit:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog - Cleared Logs for Security in EventViewer
- Attempted to run same script with same permissions on secondary DC,
and it works there. Also works if I specify -Computername
SecondDC.mydomain.ads, but not if I don't specify it or specify
FirstDc.mydomain.ads.
I have a feeling something could be corrupt? I have no idea where to look at this point. I should be able to pull Event Logs from powershell as an admin.
Best Answer
This feels like a workaround, its too complicated for a simple and obvious security monitoring request but it works on w2012:
Yes others have found this before me http://powerkb.se/?p=614