I have a script that I need to write an audit event to the Windows Security log when it has completed showing the user who ran it.
I can write to any log apart from the security log.
How can I do this?
New-EventLog -LogName Security -Source "MyApp"
Write-EventLog -LogName Security -source "MyApp" -EntryType Information -EventId 1 -Message "Script run by X"
When the name is changed from Security to Application or System, it works - but, I keep getting the following when using Security:
Write-EventLog : The registry key for the log "Security" for source
"msevent" could not be opened. At line:1 char:1
+ Write-EventLog -LogName Security -source "msevent" -EntryType Information -Event ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (:) [Write-EventLog], Exception
+ FullyQualifiedErrorId : AccessDenied,Microsoft.PowerShell.Commands.WriteEventLogCommand
I am the admin and not sure why this happens, even after trying to modify registry security permissions.
Does anyone know how I can do this?
MS Documentation:
Only the Local Security Authority (Lsass.exe) has write permission for
the Security log. No other account can request this privilege. To
write an event to the Security log, use the AuthzReportSecurityEvent
function.
here is a link to the documentation: Event Logging Security
Also here is a link that covers accessing the Win API from powershell which should help with the implementation in case you absolutely have to use the Security log: Use PowerShell to Interact with the Windows API: Part 1
I am sorry to not provide a full example but due to time restrictions this will have to do it for now.
Regards
Eleveated processes can write to the security event log by using the AuthzReportSecurityEvent function.
The Vanara project provides .NET interop wrappers for this API and is available as a Nuget package for .NET developers. It would probably serve as a good starting point for creating something that was consumable via PowerShell.
Related
I must add a domain user to the local group "Remote Desktop Users" via GPO.
And since I'm building Domain Controller images in an automated way, I want to create a policy to set a domain user as part of the Remote Desktop Users local group of each domain joined Windows client machine using PowerShell.
I've been trying to manage the Restricted Groups from a GPO via PowerShell, but without success.
I found the following code, but it returns only a .xml that I can check the groups located at the Restricted Groups from a GPO.
https://social.technet.microsoft.com/Forums/en-US/a956c361-3852-4ec2-a6e3-15475e67bdaa/listing-gpo-restricted-groups-with-powershell?forum=winserverpowershell
If there's a way to export the GPO as .XML or any other format and edit it and import that changes, it would be also fine.
Another forum that I found and it's a good solution but it's still manually, is the following one. I'd like to automate that steps via PowerShell, but it has been hard to do.
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/using-group-policy-preferences-to-manage-the-local-administrator/ba-p/259223
Please, does anyone know some automated way to create a GPO that includes a domain user to a local group?
Thanks all!
Try **Invoke-Command** and **Add-LocalGroupMember**
ForEach ($ServerName in $Servers)
{
Invoke-command -ComputerName $ServerName -ScriptBlock {Add-LocalGroupMember -Group "Remote Desktop User" -Member "Admin02", "MicrosoftAccount\username#Outlook.com", "AzureAD\DavidChew#contoso.com", "CONTOSO\Admins"}
}
https://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx
Create new GPO: Computer Configuration / Policies / Windows Settings / Security Settings / Restricted Groups
or if neecessary is done by powershell script create GPO
Configuring PowerShell Startup Scripts with Group Policy
and launch script:
Add-LocalGroupMember -Group "Remote Desktop User" -Member "Admin02", "MicrosoftAccount\username#Outlook.com", "AzureAD\DavidChew#contoso.com", "CONTOSO\Admins"
I am trying to get the list of delegated permissions that I granted to Service principal by querying via PowerShell like below:
Get-AzureADOAuth2PermissionGrant | Where-Object { $_.ClientId -eq 'myappclientid' } | Select-Object -Property *
But I am getting blank in response.
I can see the Service principal permissions in my Azure Portal. But still, I'm facing the same error.
Can anyone help me out with what am I missing here?
I'm giving ObjectID of my application registered in Azure AD like this:
Please note that when you are registering application in Azure AD it automatically creates a Service Principal under Enterprise Applications with same name but with different object_id
Make sure to pass that object_id of your Enterprise application not your registered application like below:
Go to Azure Portal -> Azure Active Directory -> Enterprise Applications -> Your Application -> Overview
I tried to reproduce the same in my environment and got the below results:
When I passed object_id of registered application in the query like below I got the same response like below:
When I passed the object_id of Enterprise application, I got the delegated permissions successfully like below:
References:
Apps & service principals in Azure AD - Microsoft Entra | Microsoft Docs
azure - How to list Service principal permissions using powershell - Stack Overflow by fabrisodotps1
When logging on windows server to check uptime and services, I am being logged through gateway, both server and gateway are require different credentials.
I am working on powershell script that does this automatically, but I can not find way how to use multiple credentials when invoking command.
I am not sure if there is solution on this in powershell
When doing that manually, I am logging directly on server and gateway automatically pops up, asking for credentials, when I enter them, another prompt to server credentials pops up, then I logon on server.
Thanks for advice :-)
$Cred1 = [pscredential]::new($User1,$Password1) #service account to target server
$Cred2 = [pscredential]::new($User2,$Password2) #gateway credentials
Invoke-Command -ComputerName xxx-ScriptBlock { xxx } -credential $Cred1
...is not working with $Cred1, cause gateway requires $cred2.
Working on grabbing windows 7 event logs remotely using powershell. My powershell script works locally.
Get-WinEvent -ComputerName localhost -LogName Security -MaxEvents 10
to access it remotely I modified it for
Get-WinEvent -ComputerName remotecomputer -LogName Security -MaxEvents 10
To access it remotely I modified the windows firewall to allow Remote Event Log Management (RPC) to allow it but I still get -
"Get-WinEvent : Could not retrieve information about the Security log. Error: Attempted to perform an unauthorized operation.."
Saw some blogs about adding customsd to registry but that looked like it was for windows servers. Also tried using -Credentials and no luck, also, remote registy and rpc services are both running.
Any suggestions?
I wanted to put my answer on here that with admin rights it seems like you can query powershell logs using xml over the network. If you use xml it seems to use the windows credentials and winrm isn't necessary. We didn't even have to enable "remote event log management" in the windows firewall. If you have the right windows credentials it just works. Powershell is incredible.
I am using a service controller in a win forms application to start and stop a service which listens to a message queue and processes the messages. I get an access denied error when the service is started from the win forms application.I am using Vista Home Basic and an account which is of type administrator and I have used Log As - Local System Account. The service can be started and stopped normally using the Service Management Console but I get an error when I try to Start the service programatically.Can someone provide some guidance as to how to fix this issue.
Probably you have elevated when opening the services console, but not for your own app.
Add an "Application Manifest File" (that is the name of the template in Visual Studio) and set the requested execution level to "requireAdministrator" (there are comments in the manifest file that will help).