?
Solved

Problem opening Security Event viewer without Domain Admin account

Posted on 2007-12-07
4
Medium Priority
?
712 Views
Last Modified: 2012-06-21
Hi

I am trying to create a group that are able to access the security event viewer on a 2003 DC without granting full domain admin access. I have tried permissioning the area where the files are located (system32\config). I have also made sure the group is not a member of the guest accounts as microsoft suggest. Would prefer it if I dont have to mess around with the regitry or doing anything too drastic but running out of options a bit.

Any help greatly appreicated

Cheers

Jamie
0
Comment
Question by:itlplc
  • 3
4 Comments
 
LVL 4

Expert Comment

by:tomo999
ID: 20426746
You can allow access to this by updating the SDDL string in the following key;
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security\CustomSD

The default string should be something like;
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA)

You can add additional access by extending the string to include;
(A;;0x1;;;SID OF GROUP)

So the new string would be;
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;[SID OF GROUP])

You can learn more about SDDL here;
http://msdn2.microsoft.com/en-us/library/aa379567.aspx

Hope that helps.
0
 

Author Comment

by:itlplc
ID: 20426765
Thanks for the speedy response tomo999, I dont suppose you have any less risky ideas. I understand if this is the only way but am loathed to edit the regitry unless theres no other choice :-)

Cheers

Jamie
0
 
LVL 4

Expert Comment

by:tomo999
ID: 20426800
Unfortunately I couldn't find any other way to do it.

I would just make sure you test it on a non-production system first and then make sure you have sufficient backups of your DCs when you go live.

It took me a while to get the SDDL syntax correct but now I have, I haven't had any problems with it since.
0
 
LVL 4

Accepted Solution

by:
tomo999 earned 1500 total points
ID: 20426807
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question