May 26 2020
10:19 AM
- last edited on
Nov 30 2021
09:28 AM
by
TechCommunityAP
May 26 2020
10:19 AM
- last edited on
Nov 30 2021
09:28 AM
by
TechCommunityAP
I'm getting these errors every 30 seconds. I've already updated our domain controller GPO and confirmed that the MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD registry entry has updated.
"O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x1;;;S-1-5-80-1717699148-1527177629-2874996750-2971184233-2178472682)"
System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)
May 26 2020 11:04 AM
@BillR1410 Why are you using CustomSD? do you have to do that because a 3rd party on the machine requires it ?
May 26 2020 11:35 AM
@Eli Ofek I left out two SIDs out of the list I posted. One grants our server team access to read the DC logs, and the other grants the SCOM service account access to read the logs.
May 26 2020 11:58 AM
@BillR1410 When using CustomSD it's not enough to add the ATA's account SID to it.
You will also need to add it via the event log API.
You can try that using this powershell sequence:
$ATADaclEntry = "(A;;0x1;;;S-1-5-80-1717699148-1527177629-2874996750-2971184233-2178472682)"
$EventLogConfiguration = New-Object -TypeName System.Diagnostics.Eventing.Reader.EventLogConfiguration("Security")
$EventLogConfiguration.SecurityDescriptor
$EventLogConfiguration.SecurityDescriptor = $EventLogConfiguration.SecurityDescriptor + $ATADaclEntry
$EventLogConfiguration.SecurityDescriptor
$EventLogConfiguration.SaveChanges()
Normally this should happen during deployment time, but I have seen cases where customer policy keeps reverting it...
May 26 2020 02:15 PM
@Eli Ofek I disabled the GPO, deleted the CustomSD registry key, and ran the API commands. It created a new CustomSD key with this value, but it still is throwing the errors. I've rebooted for good measure.
O:BAG:SYD:(A;;CCLCSDRCWDWO;;;SY)(A;;CCLC;;;BA)(A;;CC;;;ER)(A;;CC;;;NS)(A;;0x1;;;S-1-5-80-1717699148-1527177629-2874996750-2971184233-2178472682)
May 26 2020 02:39 PM
May 26 2020 03:24 PM
@Eli Ofek I tried the API commands on a new DC in my lab and all it appears to have done is create the registry entry.
May 26 2020 04:33 PM
@Eli Ofek Unfortunately I still at 2012 R1 for now.
May 31 2020 06:36 AM
So after running the script, the virtual user seed needed for the service still appears in the generated CustomSD, and the CustomSD value is not changed a few minutes after that to something else?
Jun 01 2020 07:11 AM
@BillR1410 The only cases I know with similar symptoms always ended up with having some GPO settings that caused this, and the customer was not ware of its existence.
At this point I suggest to open a case with support to troubleshoot more deeply,
if you are still getting the same exception that shows we have no permissions, that means something is still messing with the permissions after you fix them.
Jun 01 2020 07:38 AM
Jun 01 2020 07:47 AM
@Eli Ofek We opened a ticket on Friday.So I will hopefully have a solution this week. I'll review all of the GPO setting that apply to the DCs today. The GPO that I disabled is the only GPO we have that sets the CustomSD value, but perhaps a different GPO setting is causing a side effect.