Computer Management Window permissions
Hello Experts,
I am a system administrator for a network and would like to grant a non-system administrator account limited administrator permissions on the network to be able to view/pull Event Viewer logs from multiple machines using the computer management window. I prefer not to add this user into the domain admins group if possible. Is there a way to grant limited administrator permissions without giving full administrator priviledges? My internet research has not led me to the right answer as of yet.
thanks in advance!
I am a system administrator for a network and would like to grant a non-system administrator account limited administrator permissions on the network to be able to view/pull Event Viewer logs from multiple machines using the computer management window. I prefer not to add this user into the domain admins group if possible. Is there a way to grant limited administrator permissions without giving full administrator priviledges? My internet research has not led me to the right answer as of yet.
thanks in advance!
ASKER
Thanks for the link above. Followed the link and tried what it recommended. The non-administrator account can now connect to other computers through the computer management window (which is what we wanted) but is not able to view or clear any of the event logs. It gives an access denied message. I am trying to continue looking through the other group policy settings to see where I can grant the non-administrator account access in viewing and clearing event viewer logs. Any suggestions?
ASKER
It seems like there is no non-administrative permission to allow a non-admin account to view, save and clear event logs. I've tried different permissions on a test account on my network and once I added the administrator permission to the test account, then it allowed the account to view, save and clear event logs. Maybe that's the answer ... just giving the test account administrator permissions and not domain admin permissions
I think your way would work just fine, giving them local admin over that box, but would you be against automating things with PowerShell? I know I reach for PowerShell as a solution to everything, but you can do a lot with what you're talking about.
My preferred option would be to use a script to view any event logs, clear them out, save/export them. And you could automate the rollup and have it send an email with HTML formatting. It might look like this:
Type and Description Event ID Occurrences Server Name
"Warning: Here's a message" 1111 15 Test1
"Error: Here's a diff one" 2222 1 Test2
I hated going through event logs individually, but you really only care about a few core server logs, right? You're either looking for MANY errors that you weren't expecting, or you look for lockouts, failed logins, etc. I'm sure there's an exhaustive list you could find that you're looking for, but you could really save time by not having someone manually go through them. The good thing is, once you make your exhaustive list of what you're looking for, and all the rest becomes "white noise", you can rest easy knowing that you're going to be able to get an instant look at your server health each morning with that email. You don't even have to make a list of the errors you're especially worried about. You can just create one that polls all the servers in a list, grabs all the event logs, and grabs just the security failures, application criticals, system criticals, and then gives you a list of each ID and how many times they showed up. Then, looking at those errors the first time is necessary. You make notes: "I don't care about eventID 64 because it's something I can't fix because we can't update our whatever", so now 64 is a common occurrence and you're trained to keep looking for stuff that would actually be a problem. You keep going down this road and make your "acceptable errors" list and get a rollup each day that you can compare to the previous day. If you see a spike or an unknown ID, you know you'll have to investigate. There's SOOOO much you could shorten out of your day. We went out one time and had to keep servers up for about a year. In that time, we made our daily server checks all automated and pretty much saved 4 hours a day that way. It's worth the investment.
Here's a quick command to get all the Critical Errors in the last 24 hours in like 2 seconds then sort by ID and do a count:
Normally, not using a FilterHashTable, you would be looking at a large amount of seconds if you had to wait for it to go through each log entry.
But if you wanted to do all this, I would recommend breaking down what you need further and putting the question under Powershell.
DH
My preferred option would be to use a script to view any event logs, clear them out, save/export them. And you could automate the rollup and have it send an email with HTML formatting. It might look like this:
Type and Description Event ID Occurrences Server Name
"Warning: Here's a message" 1111 15 Test1
"Error: Here's a diff one" 2222 1 Test2
I hated going through event logs individually, but you really only care about a few core server logs, right? You're either looking for MANY errors that you weren't expecting, or you look for lockouts, failed logins, etc. I'm sure there's an exhaustive list you could find that you're looking for, but you could really save time by not having someone manually go through them. The good thing is, once you make your exhaustive list of what you're looking for, and all the rest becomes "white noise", you can rest easy knowing that you're going to be able to get an instant look at your server health each morning with that email. You don't even have to make a list of the errors you're especially worried about. You can just create one that polls all the servers in a list, grabs all the event logs, and grabs just the security failures, application criticals, system criticals, and then gives you a list of each ID and how many times they showed up. Then, looking at those errors the first time is necessary. You make notes: "I don't care about eventID 64 because it's something I can't fix because we can't update our whatever", so now 64 is a common occurrence and you're trained to keep looking for stuff that would actually be a problem. You keep going down this road and make your "acceptable errors" list and get a rollup each day that you can compare to the previous day. If you see a spike or an unknown ID, you know you'll have to investigate. There's SOOOO much you could shorten out of your day. We went out one time and had to keep servers up for about a year. In that time, we made our daily server checks all automated and pretty much saved 4 hours a day that way. It's worth the investment.
Here's a quick command to get all the Critical Errors in the last 24 hours in like 2 seconds then sort by ID and do a count:
$Logs = Get-WinEvent -FilterHashTable @{LogName='Application'; level=2; StartTime=((get-date).adddays(-1))} -EA SilentlyContinue
$Logs | Group ID | select name,countNormally, not using a FilterHashTable, you would be looking at a large amount of seconds if you had to wait for it to go through each log entry.
But if you wanted to do all this, I would recommend breaking down what you need further and putting the question under Powershell.
DH
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks to everyone for the detailed comments above. I guess the answer to my question is No.... there aren't any active directory non-admin permissions to allow viewing, saving and then clearing of event viewer logs for multiple computers on a network via the computer management window. During my testing it seems like an account must apart of the domain admin group to have the full permissions to view, save and clear event viewer logs.
We have a dedicated person that does our network logs for our workstations and servers and the person currently has an full admin account on our network. If possible it was preferred to provide the person with limited admin priviledges in order to do the logs instead of a full admin account.
I'm not familiar with PowerShell but have heard of it and seen it. I do have an automated .vbs script that pulls logs as well if it's decided to go back to that route. Pulling the logs manually for this particular person allowed the person to consume time in reviewing logs and saving them to the network at it's own pace.
We have a dedicated person that does our network logs for our workstations and servers and the person currently has an full admin account on our network. If possible it was preferred to provide the person with limited admin priviledges in order to do the logs instead of a full admin account.
I'm not familiar with PowerShell but have heard of it and seen it. I do have an automated .vbs script that pulls logs as well if it's decided to go back to that route. Pulling the logs manually for this particular person allowed the person to consume time in reviewing logs and saving them to the network at it's own pace.
You don't need domain admin unless it's a domain controller, otherwise local admin works well. If you have 2003 you can FWD the logs.
http://blogs.technet.com/b/wincat/archive/2009/06/23/forwarding-security-events-from-windows-xp-server-2003-and-vista-server-2008.aspx
http://technet.microsoft.com/en-us/library/cc748890.aspx (Applies To: Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Vista)
-rich
http://blogs.technet.com/b/wincat/archive/2009/06/23/forwarding-security-events-from-windows-xp-server-2003-and-vista-server-2008.aspx
http://technet.microsoft.com/en-us/library/cc748890.aspx (Applies To: Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Vista)
-rich
ASKER
Just as I thought.... non-admin accounts cannot access event logs within event viewer on a network domain.
https://www.experts-exchange.com/questions/22077712/Access-to-event-viewer-for-non-server-users.html?anchorAnswerId=18387920#a18387920