DC permissions for event log

Posted on 2009-05-01
Medium Priority
Last Modified: 2012-05-06
Im having a hard time finding out how to let a normal user (non domain admin) to view the event logs on domain controllers.

I know there is a security and audit log in the secpol.msc local security policy but didn't do much testing. I know that will also allow install of patches aassuming they have local logon rights.

What security group or local security policy would allow for non domain admins to view event logs on Domain Controllers?
Question by:snyderkv
LVL 14

Accepted Solution

Ram Balachandran earned 2000 total points
ID: 24281716

Try this

users that are granted permission in "Manage audit and security log" will have all access rights on event logs including read, write, and CLEAR. That may be an issue if these users can clear event logs.
If you need a more specific control on event log access, here are some references:
The security of each log is configured locally in:
KEY path:      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\<Windows log type>\
Name:          CustomSD
Value:           SDDL syntax ACL information
More information please refer to:
How to set event log security locally or by using Group Policy in Windows Server 2003
Security Descriptor Definition Language

Author Comment

ID: 24281910
Is the first link incorrect? It explains simple file sharing. I don't tink that has anything to do with allowing users to view event logs on DC's. I'm still a little lost. What about allowing users to log on locally to DC's with no rights except to view security logs? I think that would be more secure because they can view but not erase logs.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses
Course of the Month14 days, 22 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question