Error 1314 when I call AuthzRegisterSecurityEventSource() in Windows 2008 but works in Windows 2003

Question

New to windows programming here, and I am looking at code that was written for Windows Server 2003 that fails with Windows Server 2008.

The code essentially does the following:

Calls LookupPrivilageValue(NULL, _T("SeAuditPrivelage"), &luidSeAudit)); to get the LUID struct.

Please note, I check the return code of every API call to make sure no problems are encountered.

It then adjusts the TOKEN_PRIVELAGES:

OpenProcessToken(...);
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = luidSeAudit;

AjustTokenPrivelages(tokenHandle, FALSE, &tp, 0, NULL, NULL);
CloseHandle(tokenHandle);


GetModuleFileName(NULL, pBuf, 260);
strPath = pBuf;
iRet = strPath.ReverseFind('\\');
strPath = strPath.Left(iRet);
CString strName = strPath;
strName += _T("\\");
strName += _T("MyTool.exe");
_tcscpy_s(pBuf, 260, strName);

AUTHZ_SOURCE_SCHEMA_REGISTRATION ar;
memset(&ar, 0, sizeof(ar));
ar.dwFlags = AUTHZ_ALLOW_MULTIPLE_SOURCE_INSTANCES;
ar.szEventSourceName = _T("MySim");
ar.szEventMessageFile = pBuf;
ar.szEventSourceXmlSchemaFile = NULL;
ar.szEventAccessStringsFile = pBuf;
ar.szExecutableImagePath = NULL;

Then I call

AuthzInstallSecurityEventSource(0, &ar);  

No errors here either.

However, when I call:

if (!AuthzRegisterSecurityEventSource(0, _T("MySim"), &m_secEvProv)) {
    ....GetLastError()...;
    return Error;
}

Note that m_secEvProv is of type: AUTHZ_SECURITY_EVENT_PROVIDER_HANDLE.

I get error 1314:

ERROR_PRIVILEGE_NOT_HELD 1314 (0x522) A required privilege is not held by the client.

So to that end, what additional steps do I need to take to acquire such privilege in 2008?

Thank you

Answer 1

In the spirit of answering most of my questions, this is yet another example.

In 2008, there are a few things you have to do in the Group Policy Management component.

Perform the following steps:

Start->Administrative Tools->Group Policy Management

Open up your Forest->Domains->->Domain Controllers

Right Click on the entry and choose Edit

This will open up another window:

Go to Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies

Then edit Audit Policy as shown in the image or at the very least, modify Audit object access and check all three check boxes: “Define these policy settings”, “Success” and “Failure; click OK button to close the dialog box;

Below it is User Rights Assignments. Click on that and then click on the Policy: Generate Security audits.

Add your domain and username, in my case its UIDDEV\Administrator. This will be the user my program will run under. Voila! You have access to modify the security logs.