[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 427
  • Last Modified:

Computer Management Window permissions

Hello Experts,

I am a system administrator for a network and would like to grant a non-system administrator account limited administrator permissions on the network to be able to view/pull Event Viewer logs from multiple machines using the computer management window. I prefer not to add this user into the domain admins group if possible. Is there a way to grant limited administrator permissions without giving full administrator priviledges? My internet research has not led me to the right answer as of yet.

thanks in advance!
0
jslaught
Asked:
jslaught
1 Solution
 
jslaughtAuthor Commented:
Thanks for the link above. Followed the link and tried what it recommended. The non-administrator account can now connect to other computers through the computer management window (which is what we wanted) but is not able to view or clear any of the event logs. It gives an access denied message. I am trying to continue looking through the other group policy settings to see where I can grant the non-administrator account access in viewing and clearing event viewer logs. Any suggestions?
0
 
jslaughtAuthor Commented:
It seems like there is no non-administrative permission to allow a non-admin account to view, save and clear event logs. I've tried different permissions on a test account on my network and once I added the administrator permission to the test account, then it allowed the account to view, save and clear event logs. Maybe that's the answer ... just giving the test account administrator permissions and not domain admin permissions
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Dale HarrisCommented:
I think your way would work just fine, giving them local admin over that box, but would you be against automating things with PowerShell?  I know I reach for PowerShell as a solution to everything, but you can do a lot with what you're talking about.  

My preferred option would be to use a script to view any event logs, clear them out, save/export them.  And you could automate the rollup and have it send an email with HTML formatting.  It might look like this:

Type and Description                      Event ID          Occurrences         Server Name
"Warning: Here's a message"             1111                  15                       Test1
"Error: Here's a diff one"                 2222                   1                        Test2

I hated going through event logs individually, but you really only care about a few core server logs, right?  You're either looking for MANY errors that you weren't expecting, or you look for lockouts, failed logins, etc.  I'm sure there's an exhaustive list you could find that you're looking for, but you could really save time by not having someone manually go through them.  The good thing is, once you make your exhaustive list of what you're looking for, and all the rest becomes "white noise", you can rest easy knowing that you're going to be able to get an instant look at your server health each morning with that email.  You don't even have to make a list of the errors you're especially worried about.  You can just create one that polls all the servers in a list, grabs all the event logs, and grabs just the security failures, application criticals, system criticals, and then gives you a list of each ID and how many times they showed up.  Then, looking at those errors the first time is necessary.   You make notes: "I don't care about eventID 64 because it's something I can't fix because we can't update our whatever", so now 64 is a common occurrence and you're trained to keep looking for stuff that would actually be a problem.  You keep going down this road and make your "acceptable errors" list and get a rollup each day that you can compare to the previous day.  If you see a spike or an unknown ID, you know you'll have to investigate.  There's SOOOO much you could shorten out of your day.  We went out one time and had to keep servers up for about a year.  In that time, we made our daily server checks all automated and pretty much saved 4 hours a day that way.  It's worth the investment.

Here's a quick command to get all the Critical Errors in the last 24 hours in like 2 seconds then sort by ID and do a count:

$Logs = Get-WinEvent -FilterHashTable @{LogName='Application'; level=2; StartTime=((get-date).adddays(-1))} -EA SilentlyContinue
$Logs | Group ID | select name,count

Open in new window


Normally, not using a FilterHashTable, you would be looking at a large amount of seconds if you had to wait for it to go through each log entry.

But if you wanted to do all this, I would recommend breaking down what you need further and putting the question under Powershell.

DH
0
 
Rich RumbleSecurity SamuraiCommented:
Is it necessary to view them in the event viewer, or would another format work as well? What is being looked for? WMI can be used to read the event logs, as long as you apply permissions to the proper namespace.There are 3rd party tools to FWD logs to a central place place. In XP you can't copy event logs(files) and have the event viewer read them (they are marked "dirty"). You can do a save-as/export and read them. This is not true in Vista and 7, you can copy them and read them on another computer (just copy them over). You do need permission to get to those directories which non-admins do not have.
-rich
0
 
jslaughtAuthor Commented:
Thanks to everyone for the detailed comments above. I guess the answer to my question is No.... there aren't any active directory non-admin permissions to allow viewing, saving and then clearing of event viewer logs for multiple computers on a network via the computer management window. During my testing it seems like an account must apart of the domain admin group to have the full permissions to view, save and clear event viewer logs.

We have a dedicated person that does our network logs for our workstations and servers and the person currently has an full admin account on our network. If possible it was preferred to provide the person with limited admin priviledges in order to do the logs instead of a full admin account.

I'm not familiar with PowerShell but have heard of it and seen it. I do have an automated .vbs script that pulls logs as well if it's decided to go back to that route. Pulling the logs manually for this particular person allowed the person to consume time in reviewing logs and saving them to the network at it's own pace.
0
 
Rich RumbleSecurity SamuraiCommented:
You don't need domain admin unless it's a domain controller, otherwise local admin works well. If you have 2003 you can FWD the logs.
http://blogs.technet.com/b/wincat/archive/2009/06/23/forwarding-security-events-from-windows-xp-server-2003-and-vista-server-2008.aspx
http://technet.microsoft.com/en-us/library/cc748890.aspx (Applies To: Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Vista)
-rich
0
 
jslaughtAuthor Commented:
Just as I thought.... non-admin accounts cannot access event logs within event viewer on a network domain.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now