Permissions changes on Windows event log are not working (GPO change)

Question

I'm trying to grant permissions to the Network Service account (SID S-1-5-20) on the event log "Microsoft-Windows-CAPI2/Operational" (see picture below). However I need to push this change on more than 1000 servers, and more are coming. So my solution has to be linked somehow to a GPO (I trying to avoid the usage of a script with the GPO for technical reasons).

According the instructions from Microsoft, you have to:

1. Create a new registry key named "CustomSD" under the concerned event log key in 'HKLM:\SYSTEM\CurrentControlSet\services\eventlog\custom_log'
2. Create a string "CustomSD" with the proper permissions defined in the SSDL format: O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-20)
3. Restart the host and verify permissions

However, when I reboot the host and I check the permissions using the following commands, I can see that the new permissions are not applied:

wevtutil get-log "Microsoft-Windows-CAPI2/Operational"  OR
Get-WinEvent -ListLog "Microsoft-Windows-CAPI2/Operational"  | Format-List -Property * 

Where I am confused is that only the following keys related to the main event logs are available in : 'HKLM:\SYSTEM\CurrentControlSet\services\eventlog\'

And in my case I have tried to :

• create a new registry key in 'HKLM:\SYSTEM\CurrentControlSet\services\eventlog\CAPI2" >> did not work

• create the registry key in the following path 'HKLM:\SYSTEM\CurrentControlSet\services\eventlog\application\Microsoft-Windows-CAPI2' since the name of the event log was present >> did not work

So my point is that I do not understand why the permissions are not updated. Am I doing something wrong ? I have also checked the following link but it seeems that it applies only on the event log available in 'HKLM:\SYSTEM\CurrentControlSet\services\eventlog\'.

Answer 1

Thanks to the great answer from @GregAskew, I was able to push event log permissions over GPO. My steps were:

1. Create a new GPO and browse to the Registry settings (available in Computer > Preferences > Windows Settings > Registry) to update the "ChannelAccess" entry
2. Add the proper permissions in the SDDL format in the field Value data:
3. Enable the event log CAPI2 (deactivated per default) updating the registry key "Enabled" to 1
4. As a result my GPO looks like that:

After the GPO is activated and applied, you can check on your target client the correct application of the permissions by browsing to the following path in the registry

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\<event log>

Answer 2

I use wevtutil to set the permissions:

wevtutil set-log "Microsoft-Windows-CAPI2/Operational" /channelaccess:O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-20)

wevtutil get-log "Microsoft-Windows-CAPI2/Operational"

name: Microsoft-Windows-CAPI2/Operational
enabled: false
type: Operational
owningPublisher: Microsoft-Windows-CAPI2
isolation: Application
channelAccess: O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-20)
logging:
  logFileName: %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-CAPI2%4Operational.evtx
  retention: false
  autoBackup: false
  maxSize: 1052672
publishing:
  fileMax: 1