RE: Backup Security Event Log via script Problem

Group: microsoft.public.windowsxp.security_admin
From: =?Utf-8?B?Sm9obkJhdGVz?=
Date: Monday, March 03, 2008 6:53 PM
Subject: RE: Backup Security Event Log via script Problem

message

We got it fixed!

The user has to have the following permissions:

1) member of backup operators group
2) Manage Auditing and Security log via policy
3) (and the one I never would have guessed) User must have Full permissions
to the key that governs the Security Log:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security

"JohnBates" wrote:

> Hello,
>
> I have a problem I am beating my head against. I have a script that will
> backup the security event log and then clear it. It works perfectly as an
> administrator but a standard user cannot successfully run it.
>
> Script:
> ---------------------------------------------------------------
> 'Arguments
> fileName = WScript.Arguments.Item(0)
> logType = WScript.Arguments.Item(1)
> fullPathName = filename & ".evt"
>
> 'Display args passed
> Wscript.echo "Argument 0 - fileName :" & fileName
> Wscript.echo "Argument 1 - logType :" & logType
> Wscript.echo "fullPathName :" & fullPathName
>
> strComputer = "."
> Set objWMIService = GetObject("winmgmts:" &
> "{impersonationLevel=impersonate,(Backup,security)}!\\" & strComputer &
> "\root\cimv2")
> Set colLogFiles = objWMIService.ExecQuery ("SELECT * FROM
> Win32_NTEventLogFile WHERE LogFileName='" & logType & "'")
>
>
> For Each objLogfile in colLogFiles
> errBackupLog = objLogFile.BackupEventLog(fullPathName)
>
> If errBackupLog = 0 Then
> Wscript.Echo "The Security event log was backed up."
> objLogFile.ClearEventLog()
> End If
> If errBackupLog = 8 Then
> Wscript.Echo "Privilege missing!"
> End If
> If errBackupLog = 21 Then
> Wscript.Echo "Invalid Parameter in call"
> End If
>
> If errBackupLog = 183 Then
> Wscript.Echo "The archive file already exists."
> End If
> Next
> ----------------------------------------------------------------
>
> I have tried assigning the following rights to my test user:
>
> Manage Auditing and Security Rights
> Impersonate a client after authentication
> backup files and directories
>
> From what I could find (which is somewhat sparse) it may have to do with
> needing to set a CustomSD to the security event log. I have no experience
> what so ever in regards to working with the windows security subsystems at
> that level. Nor am I sure you could do that on a stand alone machine that is
> not under a domain.
>
> The user can view the security event log in the event viewer but not save it
> it returns the error message "A required privilege is not held by the client".
>
> Anyone have any ideas?
>
> Thanks
>
> John Bates
> Raytheon
>
> Note: I originally posted this in public.security...not sure if that forum
> or this would be the right place.