JSI Tip 8921. When you attempt to access an event log on Windows Server 2003, you receive 'Unable to complete the operation on . Access is denied.'?

When you attempt to access one of the following event logs on a Windows Server 2003, you receive a message similar to:

Unable to complete the operation on . Access is denied.:

Application
Directory Service
DNS Server
File Replication Service
System

This behavior will occur if the Domain Users group is a member of the built-in Guests group.

I have scripted AllowLogAccess.bat to resolve this problem.

To use AllowLogAccess.bat:

1. Log on to the Windows Server 2003 computer with administrative privileges.

2. Open a CMD.EXE window.

3. Type AllowLogAccess and press Enter.

AllowLogAccess.bat works by first determining of the Windows Server 2003 computer is a domain controller. If it is a domain controller, it removes the Domain Users from the built-in Guests group. If the server is NOT a domain controller, it configures the RestrictGuestAccess Value Name for the Application, System, and DNS Server event logs.

AllowLogAccess.bat contains:

@echo offsetlocalset test=nltest /dclist:%USERDNSDOMAIN%set fnd1=Findstr /C:"Site:"set fnd2=Find /I "%ComputerName%"set dc=Nfor /f "Tokens=1 Delims=. " %%d in ('%test%^|%fnd1%^|%fnd2%') do ( set dc=Y) if "%dc%" EQU "N" goto server@echo net localgroup Guests "Domain Users" /deletenet localgroup Guests "Domain Users" /deleteendlocalgoto :EOF:serverset key=HKLMSYSTEMCurrentControlSetServicesEventlog@echo reg add "%key%Application" /V RestrictGuestAccess /T REG_DWORD /D 0 /Freg add "%key%Application" /V RestrictGuestAccess /T REG_DWORD /D 0 /F@echo.@echo reg add "%key%System" /V RestrictGuestAccess /T REG_DWORD /D 0 /Freg add "%key%System" /V RestrictGuestAccess /T REG_DWORD /D 0 /F@echo.@echo reg add "%key%DNS Server" /V RestrictGuestAccess /T REG_DWORD /D 0 /Freg add "%key%DNS Server" /V RestrictGuestAccess /T REG_DWORD /D 0 /Fendlocal