?
Solved

Problem opening Security Event viewer without Domain Admin account

Posted on 2007-12-07
4
Medium Priority
?
708 Views
Last Modified: 2012-06-21
Hi

I am trying to create a group that are able to access the security event viewer on a 2003 DC without granting full domain admin access. I have tried permissioning the area where the files are located (system32\config). I have also made sure the group is not a member of the guest accounts as microsoft suggest. Would prefer it if I dont have to mess around with the regitry or doing anything too drastic but running out of options a bit.

Any help greatly appreicated

Cheers

Jamie
0
Comment
Question by:itlplc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 4

Expert Comment

by:tomo999
ID: 20426746
You can allow access to this by updating the SDDL string in the following key;
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security\CustomSD

The default string should be something like;
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA)

You can add additional access by extending the string to include;
(A;;0x1;;;SID OF GROUP)

So the new string would be;
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;[SID OF GROUP])

You can learn more about SDDL here;
http://msdn2.microsoft.com/en-us/library/aa379567.aspx

Hope that helps.
0
 

Author Comment

by:itlplc
ID: 20426765
Thanks for the speedy response tomo999, I dont suppose you have any less risky ideas. I understand if this is the only way but am loathed to edit the regitry unless theres no other choice :-)

Cheers

Jamie
0
 
LVL 4

Expert Comment

by:tomo999
ID: 20426800
Unfortunately I couldn't find any other way to do it.

I would just make sure you test it on a non-production system first and then make sure you have sufficient backups of your DCs when you go live.

It took me a while to get the SDDL syntax correct but now I have, I haven't had any problems with it since.
0
 
LVL 4

Accepted Solution

by:
tomo999 earned 1500 total points
ID: 20426807
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question