Joshua Flanagan

I'd like to try and integrate my newsgroup posts with my blog.  I mentioned earlier that I spend more time in the newsgroups than I do posting to the blog.  But I do like the presentation and accessibility of the blog, so I'm wondering how I can combine them.

My first thought was to use the Google Web API to pull my newsgroup posts and integrate them into the blog's existing RSS feed.  But it looks like the Google Web API does not work with Google Groups (yet?).

For now, I can just publish this link to newsgroup posts by Joshua Flanagan.   Maybe I'll make it part of my blog skin so it is always available.  Anyone have any better ideas?

I'm not really sure yet how useful this would be to the general public.  The person with the specific problem already read the answer in the newsgroups.  It may turn out to just be one of those things that makes it easier for the me to find my own information.

This blog is not dormant. Or maybe it is, but this blog owner is not. I am generally really picky about what I consider worthy of a post. I try to avoid "me too" posts, or adding my take on something I'm not really qualified to comment on, or personal just about me posts (though I guess this one is dangerously close to that). My philosophy is, if someone searching for some information can find it easily elsewhere on the web, from a more authoritive voice, then there is no need for me to post. I do not have a delusion that I have a readership that relies on me solely for their information, and if I don't post about it, they won't find out about it. However, when I solve a problem that wasn't as easy as I thought it would be, because the information wasn't as available as I thought it should be, I will post.

I have found that I can contribute more to the community by being active in the newsgroups. You can find real people, with real problems, with real needs. If I can post a little bit of information, even if I am not the authority for that information, I know that I am helping someone. That's very different than just repeating some general information on my blog with the assumption that someone is looking to me for an answer.

On a related note, I got caught responding to a Usenet troll for the first time. I feel silly, dirty, naive. I'm used to having my guard up when reading troll havens like Slashdot, but this one caught me off guard because the posts in the groups I've been following are usually helpful, on-topic information. I thought I was providing useful information, but in fact I was just fueling a fire the troll was trying to start. So, just like I want to avoid adding "noise" on my blog, I'll have to be more careful in the future about contributing "noise" to the newsgroups.

One of the big “features“ of Windows 2003 Server is that the default install is much more secure than Windows servers of the past.  The offshoot is that some tasks that used to be easy are now a little more difficult.  I'm not complaining; I believe it is a price worth paying.  We just need to help each other out in documenting the workarounds.

Which brings me to the topic of this post: reading the event log.  In Windows 2003 Server, you can no longer read the event log of a server unless you are an administrator of that server.  This is a problem when you are trying to support an application (which logs its error messages to the Event Log), but cannot be an administrator of the server.

Fortunately, it is possible to change the permissions on an Event Log.  Unfortunately, it is not as straightforward as you might think.  I would have guessed it would involve changing the permissions on the Event Log registry keys - the children of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog.  So, if you guessed like me, you're wrong... but close.

The solution is in the registry, but does not involve permissions on the keys.  Windows 2003 introduced the CustomSD key - or Custom Security Descriptor.  It is a string written using the Security Descriptor Definition Language.  The solution is to add an additional ACE (Access Control Expression?) string to the default CustomSD value.  An ACE string grants a set of permissions to a specific user or users, identified by a SID (security ID?).  A much better explanation can be found by reading this article about the impact of security changes in Windows 2003 (scroll to the section Tighter ACLs on Event Logs).

When I first started digging into all of this stuff, I thought it would be great to write a little UI utility to build SDDL and ACE strings, with built-in support for the common SIDs.  Then reality hit and I realized that was a complete tangent from the task at hand - getting non-administrator access to the Event Log.

I decided I would grant Read access to the Application Event Log to all Authenticated Users, which can be expressed with the following ACE: (A;;0x1;;;AU)

I just needed to add that ACE to the existing CustomSD value on the Application Event Log.  The CustomSD value can be found on each event log key.  The location of the Application event log key is shown here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application

The original value of CustomSD was:

 O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)

My new value was:

 O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x1;;;AU)

After editing the registry value, I was able to successfully read the event log on the server without being an administrator. If you want to grant different rights to different users, reading the links provided above should help you build the correct SDDL / ACE strings.

FYI: If you are using .NET and you use the EventLogInstaller to create a custom event log at deployment time, it would be a good idea to add additional code to your Installer class to append this ACE to the CustomSD of the newly created log.