Problem accessing remote EventLog: Access Denied

Problem accessing remote EventLog: Access Denied

Post by dGFuZ2 » Thu, 19 Apr 2007 21:42:02


Hi,

I'm getting an error accessing a remote Event log in computers running
Windows 2000 Server in a customer but I'm unable to reproduce the problem in
my test machines.

We use the OpenEventLog API to connect to the remote EventLog and we get an
error 5: Access Denied error.

The environment is: Trying to connect from a computer running Windows 2000
to other computers running Windows 2000 (and some XP) in the same domains, in
other Domains and even stand-alone. The error is the same in all the cases.
They have defined a local user with the same password in all the computers.
These users are local administrators in all the computers.

Source Code we use: As this API is called from a Windows Service we need to
change the user profile to be used in the connection first, so the code is
something like:

LogonUser( User, Domain, password
LOGON32_LOGON_INTERACTIVE,
LOGON32_PROVIDER_DEFAULT,
&hToken ) )
ProfileInfo.dwSize = sizeof( PROFILEINFO );
ProfileInfo.lpUserName = strdup(lpszUserName);
ProfileInfo.lpProfilePath = NULL; ProfileInfo.lpDefaultPath = NULL;
ProfileInfo.lpServerName = NULL;
ProfileInfo.lpPolicyPath = NULL;
LoadUserProfile( hToken, &ProfileInfo ) )
ImpersonateLoggedOnUser(hToken))

And then we call the OpenEventLog. Is the OpenEventLog call when the error
is produced. It happens when connecting to any EventLog (Security,
Application or System)

As I said before, in my test machines everything works fine but I was using
Windows 2000 Professional in almost all the cases. I have done the test both
using a domain user (this should works always) and defining a local user,
with the same password, both in the local and remote computer. In all the
cases being Local Administrators and everything worked fine. I was only able
to reproduce the error when defining a different password in the remote
computer, when I removed the remote user from the Administrator group or some
obvious changes like that.

So it seems the problem is produced to some settings in their configurations.

Some questions:

- Do you see anything wrong in the code that could explain what is happening?

- Is there something I can look at the local or remote computer to get more
info about the reason for the "Access Denied" error. The event log does not
say anything and I don't now if there is any "trace" that I can activate.

- I have tried using in my machines the global "Security Policies" the
customer uses and everything worked fine. One comment: The customer uses
Windows 2000 Server, in my test I almost always used Windows 2000
Professional. Is there a "default" security setting different in both
systems that could explain what's happening?

- They say that even when our product does not work the Event Viewer does!.
In all my internal testings I was unable to make EventViewer to work when my
code didn't (and the other way round: when my code worked the EventViewer did
too)

- Any idea about what to look for??

Thanks very much in advance for any help!
 
 
 

Problem accessing remote EventLog: Access Denied

Post by Kellie Fit » Fri, 20 Apr 2007 00:56:45

n Apr 18, 5:42 am, tango < XXXX@XXXXX.COM > wrote:


Hi,

Try using the following APIs to open the event log remotely under
the user's security context privileges:

LogonUserEx()
ImpersonateLoggedonUser()
GetUserProfileDirectory()
LoadUserProfile()

........................
........................

UnloadUserProfile()
RevertToSelf()

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/logonuser.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/impersonateloggedonuser.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/getuserprofiledirectory.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/loaduserprofile.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/policy/policy/unloaduserprofile.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/reverttoself.asp

Kellie.



 
 
 

Problem accessing remote EventLog: Access Denied

Post by jeta » Fri, 20 Apr 2007 21:40:54

Hi Tango ,

I will perform some research on this issue and get back to you ASAP. Thanks

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://www.yqcomputer.com/ #notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://www.yqcomputer.com/
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
 
 

Problem accessing remote EventLog: Access Denied

Post by dGFuZ2 » Fri, 20 Apr 2007 23:02:02

Thanks, but I think we have found where the problem is: It was a security
setting in the remote EventLog that did not allow the connection to any type
of EventLog. The customer said the "Event Viewer" worked but they were
connecting to a different system !

Thanks anyway for your help.
 
 
 

Problem accessing remote EventLog: Access Denied

Post by jeta » Sat, 21 Apr 2007 12:23:20

Ok, if you need further help, please feel free to post, thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://www.yqcomputer.com/ #notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://www.yqcomputer.com/
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.