Merge pull request #8829 from Deland-Han/cmpy-branch-ci5577

AB#5577: How to set event log security locally or by using Group Policy

Author: Deland-Han

support/windows-server/group-policy/set-event-log-security-locally-or-via-group-policy.md

@@ -1,7 +1,7 @@
 ---
 title: Set event log security locally or via Group Policy
 description: This article provides the methods to set event log security access rights.
-ms.date: 01/15/2025
+ms.date: 04/29/2025
 manager: dcscontentpm
 audience: itpro
 ms.topic: troubleshooting
@@ -12,9 +12,9 @@ ms.custom:
 ---
 # How to set event log security locally or by using Group Policy  
 
-You can customize security access rights to their event logs in Windows Server 2012. These settings can be configured locally or through Group Policy. This article describes how to use both of these methods.
+You can customize security access rights to their event logs in Windows. These settings can be configured locally or through Group Policy. This article describes how to use both of these methods.
 
-_Applies to:_   Windows Server 2012 Standard, Windows Server 2012 Datacenter  
+_Applies to:_   All versions of Windows  
 _Original KB number:_   323076
 
 ## Summary
@@ -26,15 +26,15 @@ You can grant users one or more of the following access rights to event logs:
 - Clear
 
 > [!IMPORTANT]
-> You can configure the security log in the same way. However, you can change only Read and Clear access permissions. Write access to the security log is reserved only for the Windows Local Security Authority (LSA).
+> You can configure the security log in the same way. However, you can change only Read and Clear access permissions. Write access to the security log is reserved only for the Windows Local Security Authority (LSA) and identities that have the **Manage auditing and security log** privilege enabled.
 
-You can use an Administrative Template Policy for the purpose. The path for the System Eventlog, for example, is:
+You can use an Administrative Template Policy for the purpose. For example, the path for the System Eventlog is:
 
 > Computer Configuration\Administrative Templates\Windows Components\Event log Service\System
 
 The setting is *configure log access* and it takes the same Security Descriptor Definition Language (SDDL) string.
 
-Microsoft suggests moving to this method once you are on Windows Server 2012.
+Microsoft suggests moving to this method.
 
 ## Configure event log security locally
 
@@ -55,87 +55,29 @@ To construct an SDDL string, note that there are three distinct rights that pert
 - 2 = Write
 - 4 = Clear
 
-The following is a sample SDDL that shows the default SDDL string for the Application log. The access rights (in hexadecimal) are bold-faced for illustration:
+The following is a sample SDDL that shows the default SDDL string for the System log. The access rights (in hexadecimal) are bold-faced for illustration:
 
-> O:BAG:SYD:(D;; 0xf0007 ;;;AN)(D;; 0xf0007 ;;;BG)(A;; 0xf0007 ;;;SY)(A;; 0x5 ;;;BA)(A;; 0x7 ;;;SO)(A;; 0x3 ;;;IU)(A;; 0x2 ;;;BA)(A;; 0x2 ;;;LS)(A;; 0x2 ;;;NS)
+> O:BAG:SYD:(A;;**0xf0007**;;;SY)(A;;**0x7**;;;BA)(A;;**0x3**;;;BO)(A;;**0x5**;;;SO)(A;;**0x1**;;;IU)(A;;**0x3**;;;SU)(A;;**0x1**;;;S-1-5-3)(A;;**0x2**;;;S-1-5-33)(A;;**0x1**;;;S-1-5-32-573)
 
-For example, the first ACE denies Anonymous Users read, write, and clear access to the log. The sixth ACE permits Interactive Users to read and write to the log.
-
-## Modify your local policy to permit customization of the security of your event logs
-
-1. Back up the %WinDir%\Inf\Sceregvl.inf file to a known location.
-2. Open %WinDir%\Inf\Sceregvl.inf in Notepad.
-3. Scroll to the middle of file, and then put the pointer immediately before [Strings].
-4. Insert the following lines:
-
-   > MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD,1,%AppLogSD%,2  
-   MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD,1,%SysLogSD%,2
-
-5. Scroll to the end of the file, and then insert the following lines:
-
-   > AppLogSD="Event log: Specify the security of the application log in Security Descriptor Definition Language (SDDL) syntax"  
-   SysLogSD="Event log: Specify the security of the System log in Security Descriptor Definition Language (SDDL) syntax"
-
-6. Save and then close the file.
-
-7. Select **Start**, select **Run**, type *regsvr32 scecli.dll* in the **Open** box, and then press ENTER.
-
-8. In the **DllRegisterServer in scecli.dll succeeded** dialog box, select **OK**.
+For example, the first ACE allows System full control access to the log. The fifth ACE permits Interactive Users to read access to the log.
 
 ## Use the computer's local group policy to set your application and system log security
 
 1. Select **Start**, select **Run**, type *gpedit.msc*, and then select **OK**.
-2. In the Group Policy editor, expand **Windows Setting**, expand **Security Settings**, expand **Local Policies**, and then expand **Security Options**.
-3. Double-click **Event log: Application log SDDL**, type the SDDL string that you want for the log security, and then select **OK**.
-4. Double-click **Event log: System log SDDL**, type the SDDL string that you want for the log security, and then select **OK**.
-
-## Use group policy to set your application and system log security for a domain, site, or organizational unit in Active Directory
-
-> [!IMPORTANT]
-> To view the group policy settings that are described in this article in the Group Policy editor, first complete the following steps, and then continue to the [Use group policy to set your application and system log security](#use-group-policy-to-set-your-application-and-system-log-security) section:
-
-1. Use a text editor such as Notepad to open the Sceregvl.inf in the %Windir%\Inf folder.
-2. Add the following lines to the [Register Registry Values] section:
-
-   > MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD,1,%AppCustomSD%,2  
-   MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD,1,%SecCustomSD%,2  
-   MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD,1,%SysCustomSD%,2  
-   MACHINE\System\CurrentControlSet\Services\Eventlog\Directory Service\CustomSD,1,%DSCustomSD%,2  
-   MACHINE\System\CurrentControlSet\Services\Eventlog\DNS Server\CustomSD,1,%DNSCustomSD%,2  
-   MACHINE\System\CurrentControlSet\Services\Eventlog\File Replication Service\CustomSD,1,%FRSCustomSD%,2
-
-3. Add the following lines to the [Strings] section:
-
-   > AppCustomSD="Eventlog: Security descriptor for Application event log"  
-   SecCustomSD="Eventlog: Security descriptor for Security event log"  
-   SysCustomSD="Eventlog: Security descriptor for System event log"  
-   DSCustomSD="Eventlog: Security descriptor for Directory Service event log"  
-   DNSCustomSD="Eventlog: Security descriptor for DNS Server event log"  
-   FRSCustomSD="Eventlog: Security descriptor for File Replication Service event log"
-
-4. Save the changes you made to the Sceregvl.inf file, and then run the `regsvr32 scecli.dll` command.
-5. Start Gpedit.msc, and then double-click the following branches to expand them:
-
-    **Computer Configuration**  
-    **Windows Settings**  
-    **Security Settings**  
-    **Local Policies**  
-    **Security Options**
-
-6. View the right panel to find the new Eventlog settings.
-
-### Use group policy to set your application and system log security
-
-1. In the Active Directory Sites and Services snap-in or the Active Directory Users and Computers snap-in, right-click the object for which you want to set the policy, and then select **Properties**.
-2. Select the **Group Policy** tab.
-3. If you must create a new policy, select **New**, and then define the policy's name. Otherwise, go to step 5.
-4. Select the policy that you want, and then select **Edit**.
-
-   The Local Group Policy MMC snap-in appears.
-
-5. Expand **Computer Configuration**, expand **Windows Settings**, expand **Security Settings**, expand **Local Policies**, and then select **Security Options**.
-6. Double-click **Event log: Application log SDDL**, type the SDDL string that you want for the log security, and then select **OK**.
-7. Double-click **Event log: System log SDDL**, type the SDDL string that you want for the log security, and then select **OK**.
+2. In the Group Policy Editor, expand the following folder tree under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Event log Service**.
+3. For the example of application eventlog, in the subfolder **Application**, double-click **Configure log access**, select **Enable**, type the SDDL string that you want for the log security, and then select **OK**.
+4. It's not necessary to set **Configure Log Access (Legacy)**. The option is for operating systems older than Windows Vista.
+
+## Use group policy to set your application and system log security
+
+1. Start the Group Policy Management Console.
+2. Select the OU where the target computers are, or the domain root if you want to define this for all machines in the domain.
+3. Select an existing policy to add the permissions to, or create a new policy with the Eventlog access permissions.
+4. Right-Click the policy and select **Edit**.
+5. The Local Group Policy MMC snap-in appears.
+6. Expand **Computer Configuration**, expand **Windows Settings**, expand **Security Settings**, expand **Local Policies**, and then select **Security Options**.
+7. Double-click **Event log: Application log SDDL**, type the SDDL string that you want for the log security, and then select **OK**.
+8. Double-click **Event log: System log SDDL**, type the SDDL string that you want for the log security, and then select **OK**.
 
 ## References