Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Problem opening Security Event viewer without Domain Admin account

Posted on 2007-12-07
4
Medium Priority
?
710 Views
Last Modified: 2012-06-21
Hi

I am trying to create a group that are able to access the security event viewer on a 2003 DC without granting full domain admin access. I have tried permissioning the area where the files are located (system32\config). I have also made sure the group is not a member of the guest accounts as microsoft suggest. Would prefer it if I dont have to mess around with the regitry or doing anything too drastic but running out of options a bit.

Any help greatly appreicated

Cheers

Jamie
0
Comment
Question by:itlplc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 4

Expert Comment

by:tomo999
ID: 20426746
You can allow access to this by updating the SDDL string in the following key;
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security\CustomSD

The default string should be something like;
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA)

You can add additional access by extending the string to include;
(A;;0x1;;;SID OF GROUP)

So the new string would be;
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;[SID OF GROUP])

You can learn more about SDDL here;
http://msdn2.microsoft.com/en-us/library/aa379567.aspx

Hope that helps.
0
 

Author Comment

by:itlplc
ID: 20426765
Thanks for the speedy response tomo999, I dont suppose you have any less risky ideas. I understand if this is the only way but am loathed to edit the regitry unless theres no other choice :-)

Cheers

Jamie
0
 
LVL 4

Expert Comment

by:tomo999
ID: 20426800
Unfortunately I couldn't find any other way to do it.

I would just make sure you test it on a non-production system first and then make sure you have sufficient backups of your DCs when you go live.

It took me a while to get the SDDL syntax correct but now I have, I haven't had any problems with it since.
0
 
LVL 4

Accepted Solution

by:
tomo999 earned 1500 total points
ID: 20426807
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question