Hi I am running Win 10 20h2 and Server 2016 and 2012 DCc in a AD forest with a couple of child domains.
It has been requested of me to lock down the App, Sys, and Sec, Logs from some specific Admin accounts.
I have been trying to add these entries below into Sceregvl.inf and run the regsvr32 scecli.dll as documented in the article in LInk 1 below and the objects do not show up in Domain GPO or Local GPO. I have also added the Registry entries manually with the correct SDDL in the string. I have also tried adding the statement in the INF file as described in Link2 I cannot get it to work.
Am i missing something?
Chris
CKMACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD,1,%AppLogSD%,2
MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD,1,%SecLogSD%,2
MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD,1,%SysLogSD%,2
and then insert the following lines:
AppLogSD="Event log: Specify the security of the application log in Security Descriptor Definition Language (SDDL) syntax"
SecLogSD="Event log: Specify the security of the Security log in Security Descriptor Definition Language (SDDL) syntax"
SysLogSD="Event log: Specify the security of the System log in Security Descriptor Definition Language (SDDL) syntax"Link 1
Link 1
https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/set-event-log-security-locally-or-via-group-policyLink 2A Group Policy setting isn't available in the security policy settings list - Windows Server | Microsoft Learn
Link 2
https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/default-owner-objects-created-members-administrators-group-not-available