Solved

Problem opening Security Event viewer without Domain Admin account

Posted on 2007-12-07
4
703 Views
Last Modified: 2012-06-21
Hi

I am trying to create a group that are able to access the security event viewer on a 2003 DC without granting full domain admin access. I have tried permissioning the area where the files are located (system32\config). I have also made sure the group is not a member of the guest accounts as microsoft suggest. Would prefer it if I dont have to mess around with the regitry or doing anything too drastic but running out of options a bit.

Any help greatly appreicated

Cheers

Jamie
0
Comment
Question by:itlplc
  • 3
4 Comments
 
LVL 4

Expert Comment

by:tomo999
ID: 20426746
You can allow access to this by updating the SDDL string in the following key;
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security\CustomSD

The default string should be something like;
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA)

You can add additional access by extending the string to include;
(A;;0x1;;;SID OF GROUP)

So the new string would be;
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;[SID OF GROUP])

You can learn more about SDDL here;
http://msdn2.microsoft.com/en-us/library/aa379567.aspx

Hope that helps.
0
 

Author Comment

by:itlplc
ID: 20426765
Thanks for the speedy response tomo999, I dont suppose you have any less risky ideas. I understand if this is the only way but am loathed to edit the regitry unless theres no other choice :-)

Cheers

Jamie
0
 
LVL 4

Expert Comment

by:tomo999
ID: 20426800
Unfortunately I couldn't find any other way to do it.

I would just make sure you test it on a non-production system first and then make sure you have sufficient backups of your DCs when you go live.

It took me a while to get the SDDL syntax correct but now I have, I haven't had any problems with it since.
0
 
LVL 4

Accepted Solution

by:
tomo999 earned 500 total points
ID: 20426807
0

Join & Write a Comment

Suggested Solutions

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now