cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ATA Evenlog permission issues

BillR1410
Copper Contributor

‎May 26 2020 10:19 AM - last edited on ‎Nov 30 2021 09:28 AM by

‎May 26 2020 10:19 AM - last edited on ‎Nov 30 2021 09:28 AM by

ATA Evenlog permission issues

I'm getting these errors every 30 seconds. I've already updated our domain controller GPO and confirmed that the MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD registry entry has updated.

 

"O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x1;;;S-1-5-80-1717699148-1527177629-2874996750-2971184233-2178472682)"

 

System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)

2,295 Views
0 Likes
13 Replies
Reply
13 Replies
Eli Ofek

‎May 26 2020 11:04 AM

‎May 26 2020 11:04 AM

Re: ATA Evenlog permission issues

@BillR1410 Why are you using CustomSD? do you have to do that because a 3rd party on the machine requires it ?

0 Likes
Reply
BillR1410

‎May 26 2020 11:35 AM

‎May 26 2020 11:35 AM

Re: ATA Evenlog permission issues

@Eli Ofek I left out two SIDs out of the list I posted. One grants our server team access to read the DC logs, and the other grants the SCOM service account access to read the logs.

0 Likes
Reply
Eli Ofek

‎May 26 2020 11:58 AM

‎May 26 2020 11:58 AM

Re: ATA Evenlog permission issues

@BillR1410 When using CustomSD it's not enough to add the ATA's account SID to it.

You will also need to add it via the event log API.

 

You can try that using this powershell sequence:

 

 

 $ATADaclEntry = "(A;;0x1;;;S-1-5-80-1717699148-1527177629-2874996750-2971184233-2178472682)"
$EventLogConfiguration = New-Object -TypeName System.Diagnostics.Eventing.Reader.EventLogConfiguration("Security")
$EventLogConfiguration.SecurityDescriptor
$EventLogConfiguration.SecurityDescriptor = $EventLogConfiguration.SecurityDescriptor + $ATADaclEntry
$EventLogConfiguration.SecurityDescriptor
$EventLogConfiguration.SaveChanges()

 

Normally this should happen during deployment time, but I have seen cases where customer policy keeps reverting it...

0 Likes
Reply
BillR1410

‎May 26 2020 02:15 PM

‎May 26 2020 02:15 PM

Re: ATA Evenlog permission issues

@Eli Ofek  I disabled the GPO, deleted the CustomSD registry key, and ran the API commands. It created a new CustomSD key with this value, but it still is throwing the errors. I've rebooted for good measure.

 

O:BAG:SYD:(A;;CCLCSDRCWDWO;;;SY)(A;;CCLC;;;BA)(A;;CC;;;ER)(A;;CC;;;NS)(A;;0x1;;;S-1-5-80-1717699148-1527177629-2874996750-2971184233-2178472682)

0 Likes
Reply
Eli Ofek

‎May 26 2020 02:39 PM

‎May 26 2020 02:39 PM

Re: ATA Evenlog permission issues

These Api calls should not create this registry key. If it reappeared you have something else that does it and likely breaks permissions
0 Likes
Reply
BillR1410

‎May 26 2020 03:24 PM

‎May 26 2020 03:24 PM

Re: ATA Evenlog permission issues

@Eli Ofek I tried the API commands on a new DC in my lab and all it appears to have done is create the registry entry.

0 Likes
Reply
Eli Ofek

‎May 26 2020 04:14 PM

‎May 26 2020 04:14 PM

Re: ATA Evenlog permission issues

What os version?
0 Likes
Reply
BillR1410

‎May 26 2020 04:33 PM

‎May 26 2020 04:33 PM

Re: ATA Evenlog permission issues

@Eli Ofek Unfortunately I still at 2012 R1 for now.

0 Likes
Reply
Eli Ofek

‎May 31 2020 06:36 AM

‎May 31 2020 06:36 AM

Re: ATA Evenlog permission issues

So after running the script, the virtual user seed needed for the service still appears in the generated CustomSD, and the CustomSD value is not changed a few minutes after that to something else?

0 Likes
Reply
BillR1410

‎May 31 2020 05:34 PM

‎May 31 2020 05:34 PM

Re: ATA Evenlog permission issues

That is correct.
0 Likes
Reply
Eli Ofek

‎Jun 01 2020 07:11 AM

‎Jun 01 2020 07:11 AM

Re: ATA Evenlog permission issues

@BillR1410 The only cases I know with similar symptoms always ended up with having some GPO settings that caused this, and the customer was not ware of its existence.

At this point I suggest to open a case with support to troubleshoot more deeply, 

if you are still getting the same exception that shows we have no permissions, that means something is still messing with the permissions after you fix them.

 

0 Likes
Reply
Eli Ofek

‎Jun 01 2020 07:38 AM

‎Jun 01 2020 07:38 AM

Re: ATA Evenlog permission issues

@Eli Ofek

 

Note that the problematic GPO is usually found here...

0 Likes
Reply
BillR1410

‎Jun 01 2020 07:47 AM

‎Jun 01 2020 07:47 AM

Re: ATA Evenlog permission issues

@Eli Ofek We opened a ticket on Friday.So I will hopefully have a solution this week. I'll review all of the GPO setting that apply to the DCs today. The GPO that I disabled is the only GPO we have that sets the CustomSD value, but perhaps a different GPO setting is causing a side effect.

0 Likes
Reply