DC permissions for event log

Posted on 2009-05-01
Last Modified: 2012-05-06
Im having a hard time finding out how to let a normal user (non domain admin) to view the event logs on domain controllers.

I know there is a security and audit log in the secpol.msc local security policy but didn't do much testing. I know that will also allow install of patches aassuming they have local logon rights.

What security group or local security policy would allow for non domain admins to view event logs on Domain Controllers?
Question by:snyderkv
    LVL 14

    Accepted Solution


    Try this

    users that are granted permission in "Manage audit and security log" will have all access rights on event logs including read, write, and CLEAR. That may be an issue if these users can clear event logs.
    If you need a more specific control on event log access, here are some references:
    The security of each log is configured locally in:
    KEY path:      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\<Windows log type>\
    Name:          CustomSD
    Value:           SDDL syntax ACL information
    More information please refer to:
    How to set event log security locally or by using Group Policy in Windows Server 2003
    Security Descriptor Definition Language

    Author Comment

    Is the first link incorrect? It explains simple file sharing. I don't tink that has anything to do with allowing users to view event logs on DC's. I'm still a little lost. What about allowing users to log on locally to DC's with no rights except to view security logs? I think that would be more secure because they can view but not erase logs.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    At some point in your work you may run into a need to globally assign a specific file type to open using a specific program. I recently was tasked with completing this objective. In my case it was setting the TSV file association to open with Excel.…
    Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now