ATA Evenlog permission issues

%3CLINGO-SUB%20id%3D%22lingo-sub-1418414%22%20slang%3D%22en-US%22%3EATA%20Evenlog%20permission%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1418414%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20getting%20these%20errors%20every%2030%20seconds.%20I've%20already%20updated%26nbsp%3Bour%20domain%20controller%20GPO%20and%20confirmed%20that%20the%26nbsp%3BMACHINE%5CSystem%5CCurrentControlSet%5CServices%5CEventlog%5CSecurity%5CCustomSD%20registry%20entry%20has%20updated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22O%3ABAG%3ASYD%3A(D%3B%3B0xf0007%3B%3B%3BAN)(D%3B%3B0xf0007%3B%3B%3BBG)(A%3B%3B0xf0007%3B%3B%3BSY)(A%3B%3B0x7%3B%3B%3BBA)(A%3B%3B0x7%3B%3B%3BSO)(A%3B%3B0x3%3B%3B%3BIU)(A%3B%3B0x3%3B%3B%3BSU)(A%3B%3B0x3%3B%3B%3BS-1-5-3)(A%3B%3B0x1%3B%3B%3BS-1-5-80-1717699148-1527177629-2874996750-2971184233-2178472682)%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESystem.UnauthorizedAccessException%3A%20Attempted%20to%20perform%20an%20unauthorized%20operation.%3CBR%20%2F%3Eat%20System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32%20errorCode)%3CBR%20%2F%3Eat%20System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle%20session%2C%20SafeWaitHandle%20signalEvent%2C%20String%20path%2C%20String%20query%2C%20EventLogHandle%20bookmark%2C%20IntPtr%20context%2C%20IntPtr%20callback%2C%20Int32%20flags)%3CBR%20%2F%3Eat%20System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()%3CBR%20%2F%3Eat%20Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.%3CUPDATEWINDOWSEVENTLOGREADERBOOKMARKSASYNC%3Eb__15_1(KeyValuePair%602%20_)%3CBR%20%2F%3Eat%20MoreLinq.MoreEnumerable.ForEach%5BT%5D(IEnumerable%601%20source%2C%20Action%601%20action)%3CBR%20%2F%3Eat%20async%20Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(%3F)%3CBR%20%2F%3Eat%20async%20Microsoft.Tri.Infrastructure.Framework.Module.%26lt%3B%26gt%3Bc__DisplayClass30_0.%3CREGISTERPERIODICTASK%3Eb__1(%3F)%3CBR%20%2F%3Eat%20async%20Microsoft.Tri.Infrastructure.Extensions.TaskExtension.%26lt%3B%26gt%3Bc__DisplayClass33_0.%3CRUNPERIODIC%3Eb__0(%3F)%3C%2FRUNPERIODIC%3E%3C%2FREGISTERPERIODICTASK%3E%3C%2FUPDATEWINDOWSEVENTLOGREADERBOOKMARKSASYNC%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1418414%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Threat%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1418541%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Evenlog%20permission%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1418541%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F680137%22%20target%3D%22_blank%22%3E%40BillR1410%3C%2FA%3E%26nbsp%3BWhy%20are%20you%20using%20CustomSD%3F%20do%20you%20have%20to%20do%20that%20because%20a%203rd%20party%20on%20the%20machine%20requires%20it%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1418616%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Evenlog%20permission%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1418616%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3BI%20left%20out%20two%20SIDs%20out%20of%20the%20list%20I%20posted.%20One%20grants%20our%20server%20team%20access%20to%20read%20the%20DC%20logs%2C%20and%20the%20other%20grants%20the%20SCOM%20service%20account%20access%20to%20read%20the%20logs.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1418693%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Evenlog%20permission%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1418693%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F680137%22%20target%3D%22_blank%22%3E%40BillR1410%3C%2FA%3E%26nbsp%3BWhen%20using%20CustomSD%20it's%20not%20enough%20to%20add%20the%20ATA's%20account%20SID%20to%20it.%3C%2FP%3E%0A%3CP%3EYou%20will%20also%20need%20to%20add%20it%20via%20the%20event%20log%20API.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20try%20that%20using%20this%20powershell%20sequence%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E%20%24ATADaclEntry%20%3D%20%22(A%3B%3B0x1%3B%3B%3BS-1-5-80-1717699148-1527177629-2874996750-2971184233-2178472682)%22%0A%24EventLogConfiguration%20%3D%20New-Object%20-TypeName%20System.Diagnostics.Eventing.Reader.EventLogConfiguration(%22Security%22)%0A%24EventLogConfiguration.SecurityDescriptor%0A%24EventLogConfiguration.SecurityDescriptor%20%3D%20%24EventLogConfiguration.SecurityDescriptor%20%2B%20%24ATADaclEntry%0A%24EventLogConfiguration.SecurityDescriptor%0A%24EventLogConfiguration.SaveChanges()%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENormally%20this%20should%20happen%20during%20deployment%20time%2C%20but%20I%20have%20seen%20cases%20where%20customer%20policy%20keeps%20reverting%20it...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1418985%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Evenlog%20permission%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1418985%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3B%20I%20disabled%20the%20GPO%2C%20deleted%20the%20CustomSD%20registry%20key%2C%20and%20ran%20the%20API%20commands.%20It%20created%20a%20new%20CustomSD%20key%20with%20this%20value%2C%20but%20it%20still%20is%20throwing%20the%20errors.%20I've%20rebooted%20for%20good%20measure.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EO%3ABAG%3ASYD%3A(A%3B%3BCCLCSDRCWDWO%3B%3B%3BSY)(A%3B%3BCCLC%3B%3B%3BBA)(A%3B%3BCC%3B%3B%3BER)(A%3B%3BCC%3B%3B%3BNS)(A%3B%3B0x1%3B%3B%3BS-1-5-80-1717699148-1527177629-2874996750-2971184233-2178472682)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1419060%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Evenlog%20permission%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1419060%22%20slang%3D%22en-US%22%3EThese%20Api%20calls%20should%20not%20create%20this%20registry%20key.%20If%20it%20reappeared%20you%20have%20something%20else%20that%20does%20it%20and%20likely%20breaks%20permissions%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1419115%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Evenlog%20permission%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1419115%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3BI%20tried%20the%20API%20commands%20on%20a%20new%20DC%20in%20my%20lab%20and%20all%20it%20appears%20to%20have%20done%20is%20create%20the%20registry%20entry.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1419149%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Evenlog%20permission%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1419149%22%20slang%3D%22en-US%22%3EWhat%20os%20version%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1419162%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Evenlog%20permission%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1419162%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3BUnfortunately%20I%20still%20at%202012%20R1%20for%20now.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1429732%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Evenlog%20permission%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1429732%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20after%20running%20the%20script%2C%20the%20virtual%20user%20seed%20needed%20for%20the%20service%20still%20appears%20in%20the%20generated%20CustomSD%2C%20and%20the%20CustomSD%20value%20is%20not%20changed%20a%20few%20minutes%20after%20that%20to%20something%20else%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1430175%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Evenlog%20permission%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1430175%22%20slang%3D%22en-US%22%3EThat%20is%20correct.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1431174%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Evenlog%20permission%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1431174%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENote%20that%20the%20problematic%20GPO%20is%20usually%20found%20here...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1431117%22%20slang%3D%22en-US%22%3ERe%3A%20ATA%20Evenlog%20permission%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1431117%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F680137%22%20target%3D%22_blank%22%3E%40BillR1410%3C%2FA%3E%26nbsp%3BThe%20only%20cases%20I%20know%20with%20similar%20symptoms%20always%20ended%20up%20with%20having%20some%20GPO%20settings%20that%20caused%20this%2C%20and%20the%20customer%20was%20not%20ware%20of%20its%20existence.%3C%2FP%3E%0A%3CP%3EAt%20this%20point%20I%20suggest%20to%20open%20a%20case%20with%20support%20to%20troubleshoot%20more%20deeply%2C%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eif%20you%20are%20still%20getting%20the%20same%20exception%20that%20shows%20we%20have%20no%20permissions%2C%20that%20means%20something%20is%20still%20messing%20with%20the%20permissions%20after%20you%20fix%20them.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I'm getting these errors every 30 seconds. I've already updated our domain controller GPO and confirmed that the MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD registry entry has updated.

 

"O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x1;;;S-1-5-80-1717699148-1527177629-2874996750-2971184233-2178472682)"

 

System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtSubscribe(EventLogHandle session, SafeWaitHandle signalEvent, String path, String query, EventLogHandle bookmark, IntPtr context, IntPtr callback, Int32 flags)
at System.Diagnostics.Eventing.Reader.EventLogWatcher.StartSubscribing()
at Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.<UpdateWindowsEventLogReaderBookmarksAsync>b__15_1(KeyValuePair`2 _)
at MoreLinq.MoreEnumerable.ForEach[T](IEnumerable`1 source, Action`1 action)
at async Microsoft.Tri.Gateway.Collection.Events.EventListeners.WindowsEventLogReader.UpdateWindowsEventLogReaderBookmarksAsync(?)
at async Microsoft.Tri.Infrastructure.Framework.Module.<>c__DisplayClass30_0.<RegisterPeriodicTask>b__1(?)
at async Microsoft.Tri.Infrastructure.Extensions.TaskExtension.<>c__DisplayClass33_0.<RunPeriodic>b__0(?)

13 Replies

@BillR1410 Why are you using CustomSD? do you have to do that because a 3rd party on the machine requires it ?

@Eli Ofek I left out two SIDs out of the list I posted. One grants our server team access to read the DC logs, and the other grants the SCOM service account access to read the logs.

@BillR1410 When using CustomSD it's not enough to add the ATA's account SID to it.

You will also need to add it via the event log API.

 

You can try that using this powershell sequence:

 

 

 $ATADaclEntry = "(A;;0x1;;;S-1-5-80-1717699148-1527177629-2874996750-2971184233-2178472682)"
$EventLogConfiguration = New-Object -TypeName System.Diagnostics.Eventing.Reader.EventLogConfiguration("Security")
$EventLogConfiguration.SecurityDescriptor
$EventLogConfiguration.SecurityDescriptor = $EventLogConfiguration.SecurityDescriptor + $ATADaclEntry
$EventLogConfiguration.SecurityDescriptor
$EventLogConfiguration.SaveChanges()

 

Normally this should happen during deployment time, but I have seen cases where customer policy keeps reverting it...

@Eli Ofek  I disabled the GPO, deleted the CustomSD registry key, and ran the API commands. It created a new CustomSD key with this value, but it still is throwing the errors. I've rebooted for good measure.

 

O:BAG:SYD:(A;;CCLCSDRCWDWO;;;SY)(A;;CCLC;;;BA)(A;;CC;;;ER)(A;;CC;;;NS)(A;;0x1;;;S-1-5-80-1717699148-1527177629-2874996750-2971184233-2178472682)

These Api calls should not create this registry key. If it reappeared you have something else that does it and likely breaks permissions

@Eli Ofek I tried the API commands on a new DC in my lab and all it appears to have done is create the registry entry.

What os version?

@Eli Ofek Unfortunately I still at 2012 R1 for now.

So after running the script, the virtual user seed needed for the service still appears in the generated CustomSD, and the CustomSD value is not changed a few minutes after that to something else?

That is correct.

@BillR1410 The only cases I know with similar symptoms always ended up with having some GPO settings that caused this, and the customer was not ware of its existence.

At this point I suggest to open a case with support to troubleshoot more deeply, 

if you are still getting the same exception that shows we have no permissions, that means something is still messing with the permissions after you fix them.

 

@Eli Ofek

 

Note that the problematic GPO is usually found here...

@Eli Ofek We opened a ticket on Friday.So I will hopefully have a solution this week. I'll review all of the GPO setting that apply to the DCs today. The GPO that I disabled is the only GPO we have that sets the CustomSD value, but perhaps a different GPO setting is causing a side effect.

www.000webhost.com