J
JohnBates
Hello,
I have a problem I am beating my head against. I have a script that will
backup the security event log and then clear it. It works perfectly as an
administrator but a standard user cannot successfully run it.
Script:
---------------------------------------------------------------
'Arguments
fileName = WScript.Arguments.Item(0)
logType = WScript.Arguments.Item(1)
fullPathName = filename & ".evt"
'Display args passed
Wscript.echo "Argument 0 - fileName :" & fileName
Wscript.echo "Argument 1 - logType :" & logType
Wscript.echo "fullPathName :" & fullPathName
strComputer = "."
Set objWMIService = GetObject("winmgmts:" &
"{impersonationLevel=impersonate,(Backup,security)}!\\" & strComputer &
"\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("SELECT * FROM
Win32_NTEventLogFile WHERE LogFileName='" & logType & "'")
For Each objLogfile in colLogFiles
errBackupLog = objLogFile.BackupEventLog(fullPathName)
If errBackupLog = 0 Then
Wscript.Echo "The Security event log was backed up."
objLogFile.ClearEventLog()
End If
If errBackupLog = 8 Then
Wscript.Echo "Privilege missing!"
End If
If errBackupLog = 21 Then
Wscript.Echo "Invalid Parameter in call"
End If
If errBackupLog = 183 Then
Wscript.Echo "The archive file already exists."
End If
Next
----------------------------------------------------------------
I have tried assigning the following rights to my test user:
Manage Auditing and Security Rights
Impersonate a client after authentication
backup files and directories
From what I could find (which is somewhat sparse) it may have to do with
needing to set a CustomSD to the security event log. I have no experience
what so ever in regards to working with the windows security subsystems at
that level. Nor am I sure you could do that on a stand alone machine that is
not under a domain.
The user can view the security event log in the event viewer but not save it
it returns the error message "A required privilege is not held by the client".
Anyone have any ideas?
Thanks
John Bates
Raytheon
Note: I originally posted this in public.security...not sure if that forum
or this would be the right place.
I have a problem I am beating my head against. I have a script that will
backup the security event log and then clear it. It works perfectly as an
administrator but a standard user cannot successfully run it.
Script:
---------------------------------------------------------------
'Arguments
fileName = WScript.Arguments.Item(0)
logType = WScript.Arguments.Item(1)
fullPathName = filename & ".evt"
'Display args passed
Wscript.echo "Argument 0 - fileName :" & fileName
Wscript.echo "Argument 1 - logType :" & logType
Wscript.echo "fullPathName :" & fullPathName
strComputer = "."
Set objWMIService = GetObject("winmgmts:" &
"{impersonationLevel=impersonate,(Backup,security)}!\\" & strComputer &
"\root\cimv2")
Set colLogFiles = objWMIService.ExecQuery ("SELECT * FROM
Win32_NTEventLogFile WHERE LogFileName='" & logType & "'")
For Each objLogfile in colLogFiles
errBackupLog = objLogFile.BackupEventLog(fullPathName)
If errBackupLog = 0 Then
Wscript.Echo "The Security event log was backed up."
objLogFile.ClearEventLog()
End If
If errBackupLog = 8 Then
Wscript.Echo "Privilege missing!"
End If
If errBackupLog = 21 Then
Wscript.Echo "Invalid Parameter in call"
End If
If errBackupLog = 183 Then
Wscript.Echo "The archive file already exists."
End If
Next
----------------------------------------------------------------
I have tried assigning the following rights to my test user:
Manage Auditing and Security Rights
Impersonate a client after authentication
backup files and directories
From what I could find (which is somewhat sparse) it may have to do with
needing to set a CustomSD to the security event log. I have no experience
what so ever in regards to working with the windows security subsystems at
that level. Nor am I sure you could do that on a stand alone machine that is
not under a domain.
The user can view the security event log in the event viewer but not save it
it returns the error message "A required privilege is not held by the client".
Anyone have any ideas?
Thanks
John Bates
Raytheon
Note: I originally posted this in public.security...not sure if that forum
or this would be the right place.