I should point out that I admin for a different domain with a Windows Server 2008 DC and using the same above script it creates the correct custom events I haveĪlso tried various additions and changes to the acls here but they all produce the same results. Given "authenticated users" full control over %systemroot%\system32\winevt\logs\Scripts.evtx, and write permission on %systemroot%\system32\winevt\logs. If I type the same command *without* the /SO switch, it creates a log under "Scripts" with the source as "Scripts" with the informationĪs defined by my variables. If I manually type this eventcreate command as a non-admin user, I get "Access is denied". %SUBJECT% is a custom string which writes the username, domain\computername and timestamp into the body of the event. %TYPE% is "Information" although all the other types work as well %SOURCE% is "LOGON_%USERNAME%" or "LOGOFF_%USERNAME%" %SERVER% is our primary DC running Windows Server 2008r2 The commandīeing called is as follows, with the variables defined in my script:Įventcreate /S %SERVER% /L %LOGNAME% /SO %SOURCE% /T %TYPE% /ID %LOGID% /D %SUBJECT% The problem I am having is that I can get the script to create an entry as the non-admin user *ONLY* if i leave out the /so _subject_ switch. ![]() With the subject LOGON_%username% or LOGOFF_%username% depending on the script in question. I have a logon and logoff script which creates an entry in a custom event log which we have named "scripts". ![]() I have not seen much help in this, and the documentation is not helping me much either.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |