Solved

Event Log Reader for 2008 Domain Controller

Posted on 2013-05-16
19
4,350 Views
Last Modified: 2014-02-02
I'm trying to grant read access to the event logs of our Windows 2008 domain controller using the Event Log Reader built-in security group and Group Policy, according to

http://serverfault.com/questions/346625/is-it-possible-to-grant-read-only-access-to-all-event-logs-on-domain-controllers

However, this is not working.  At first I thought it was a firewall issue.  I enabled inbound rule

     "Remote Event Log Management (RPC)"

which did not fix it.  My test user gets the following error when trying to access the event logs via the Event Viewer:

     "Event Viewer cannot open the event log or custom view. Verify that Event Log
      service is running or query is too long. Access is denied (5)"

The numerous references I've found to the "Event Log Readers" group don't mention any additional required steps.  I've confirmed with the GPMC Group Policy Results wizard that the policy setting is getting set.

Does anyone know what the missing step(s) are I need to do?
0
Comment
Question by:RhoSysAdmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
19 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 39172809
You would not even need to be member in that group as long as your account has admin group membership at the server. We use this and we had to enable a few things at the server, let me see... the plug and play service it was, I think.
0
 

Author Comment

by:RhoSysAdmin
ID: 39198193
I can tell you the "Event Log Readers" group membership via GPO has worked for all my other Windows 2008 servers, so there's clearly an additional step for DC's that I'm missing.
0
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 39198217
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 54

Expert Comment

by:McKnife
ID: 39198594
I am not saying that this is NOT working. I am saying that mere admin rights would also be enough AND that the service "plug and play" needs to be started at the server.

Please check both and give feedback on both.
0
 

Author Comment

by:RhoSysAdmin
ID: 39199229
The PnP service is set to automatic and it's started.

I don't doubt this would work fine if I gave the user(s) admin rights to my DC, but that's too big a security risk for my liking.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39199565
Hi again.

Just got it to work from win8 to 2012 server (the DC). Simply use the firewall exception called "Remote eventlog management" at the server. I guess it will be the same at 2008 R2.
0
 

Author Comment

by:RhoSysAdmin
ID: 39203276
I'm still getting an access denied message.  Attached is a screenshot of what we're seeing.
denied.png
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39203834
Works for me, just tried it on 2008 R2.
If you are doing just the same: adding your user to the group "eventlog readers" right at the server, making a firewall-exception for remote eventlog management, then it must work, we have nothing else configured, something odd must be going on.
So please double check. I get exactly your message if I am not member of the group. Are you sure you added yourself at the right server?
0
 

Author Comment

by:RhoSysAdmin
ID: 39205054
Well, I apparently have a GPO problem.  I run the Group Policy Results wiz from GPMC and it shows the group membership for "Events Log Reader".  I run gpresult on my DC and it shows me my change to the "Events Log Readers" group.

But when I run net localgroup "Events Log Readers" on the DC, it doesn't show me any members, which jives with my end result.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39205138
Now you know the cause. Put him in manually. If that is not sufficient, please specify what you did at GPO level. I would use restricted groups for this (another GPO feature).
0
 

Author Comment

by:RhoSysAdmin
ID: 39205154
Upon further review, we see the following error in the DC's system event log:

      Log Name:      System
      Source:        Microsoft-Windows-DistributedCOM
      Date:          5/29/2013 12:12:06 PM
      Event ID:      10016
      Task Category: None
      Level:         Error
      Keywords:      Classic
      User:          role_servdesk
      Computer:      xxxx.xxxx.xxxx.com
      Description:
      The application-specific permission settings do not grant Remote Activation permission for the COM Server application with CLSID
      {03837521-098B-11D8-9414-505054503030}
       and APPID
      {03837503-098B-11D8-9414-505054503030}
       to the user role_servdesk SID (S-1-5-21-1777997229-774907200-2146756953-10610) from address 10.10.20.57. This security permission can be modified using the Component Services administrative tool.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39205173
I see no connection.
0
 

Author Comment

by:RhoSysAdmin
ID: 39205230
So I found that my GPO is trying to apply, but I'm violating some group rule:

net localgroup "Event Log Readers" /add "xxx\IT Service Desk"
System error 8520 has occurred.

A local group cannot have another cross domain local group as a member.


I add this domain local group to the local admin group for all workstations, along with other local groups on my SCCM server.  Do the rules change when we're talking about a DC, or local groups on a DC?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39205259
0
 

Author Comment

by:RhoSysAdmin
ID: 39205313
But it's the same domain.  We're a one domain shop.  I tried adding the domain local group without the domain in the name ("IT Service Desk") and got the same error.

Fyi, I'm unable to add groups nor users via GPO preferences to this Server 2008 R2 DC.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39206949
? So there is something else going on that's much more serious.
Sorry, this one you will have to sort out by yourself, or maybe open a second question.
0
 

Accepted Solution

by:
RhoSysAdmin earned 0 total points
ID: 39814967
Moved on to more import things.
0
 

Author Closing Comment

by:RhoSysAdmin
ID: 39827445
No full solution found.  closing question.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
An article on effective troubleshooting
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question