[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5152
  • Last Modified:

Event Log Reader for 2008 Domain Controller

I'm trying to grant read access to the event logs of our Windows 2008 domain controller using the Event Log Reader built-in security group and Group Policy, according to

http://serverfault.com/questions/346625/is-it-possible-to-grant-read-only-access-to-all-event-logs-on-domain-controllers

However, this is not working.  At first I thought it was a firewall issue.  I enabled inbound rule

     "Remote Event Log Management (RPC)"

which did not fix it.  My test user gets the following error when trying to access the event logs via the Event Viewer:

     "Event Viewer cannot open the event log or custom view. Verify that Event Log
      service is running or query is too long. Access is denied (5)"

The numerous references I've found to the "Event Log Readers" group don't mention any additional required steps.  I've confirmed with the GPMC Group Policy Results wizard that the policy setting is getting set.

Does anyone know what the missing step(s) are I need to do?
0
RhoSysAdmin
Asked:
RhoSysAdmin
  • 9
  • 8
1 Solution
 
McKnifeCommented:
You would not even need to be member in that group as long as your account has admin group membership at the server. We use this and we had to enable a few things at the server, let me see... the plug and play service it was, I think.
0
 
RhoSysAdminAuthor Commented:
I can tell you the "Event Log Readers" group membership via GPO has worked for all my other Windows 2008 servers, so there's clearly an additional step for DC's that I'm missing.
0
 
Jian An LimSolutions ArchitectCommented:
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
McKnifeCommented:
I am not saying that this is NOT working. I am saying that mere admin rights would also be enough AND that the service "plug and play" needs to be started at the server.

Please check both and give feedback on both.
0
 
RhoSysAdminAuthor Commented:
The PnP service is set to automatic and it's started.

I don't doubt this would work fine if I gave the user(s) admin rights to my DC, but that's too big a security risk for my liking.
0
 
McKnifeCommented:
Hi again.

Just got it to work from win8 to 2012 server (the DC). Simply use the firewall exception called "Remote eventlog management" at the server. I guess it will be the same at 2008 R2.
0
 
RhoSysAdminAuthor Commented:
I'm still getting an access denied message.  Attached is a screenshot of what we're seeing.
denied.png
0
 
McKnifeCommented:
Works for me, just tried it on 2008 R2.
If you are doing just the same: adding your user to the group "eventlog readers" right at the server, making a firewall-exception for remote eventlog management, then it must work, we have nothing else configured, something odd must be going on.
So please double check. I get exactly your message if I am not member of the group. Are you sure you added yourself at the right server?
0
 
RhoSysAdminAuthor Commented:
Well, I apparently have a GPO problem.  I run the Group Policy Results wiz from GPMC and it shows the group membership for "Events Log Reader".  I run gpresult on my DC and it shows me my change to the "Events Log Readers" group.

But when I run net localgroup "Events Log Readers" on the DC, it doesn't show me any members, which jives with my end result.
0
 
McKnifeCommented:
Now you know the cause. Put him in manually. If that is not sufficient, please specify what you did at GPO level. I would use restricted groups for this (another GPO feature).
0
 
RhoSysAdminAuthor Commented:
Upon further review, we see the following error in the DC's system event log:

      Log Name:      System
      Source:        Microsoft-Windows-DistributedCOM
      Date:          5/29/2013 12:12:06 PM
      Event ID:      10016
      Task Category: None
      Level:         Error
      Keywords:      Classic
      User:          role_servdesk
      Computer:      xxxx.xxxx.xxxx.com
      Description:
      The application-specific permission settings do not grant Remote Activation permission for the COM Server application with CLSID
      {03837521-098B-11D8-9414-505054503030}
       and APPID
      {03837503-098B-11D8-9414-505054503030}
       to the user role_servdesk SID (S-1-5-21-1777997229-774907200-2146756953-10610) from address 10.10.20.57. This security permission can be modified using the Component Services administrative tool.
0
 
McKnifeCommented:
I see no connection.
0
 
RhoSysAdminAuthor Commented:
So I found that my GPO is trying to apply, but I'm violating some group rule:

net localgroup "Event Log Readers" /add "xxx\IT Service Desk"
System error 8520 has occurred.

A local group cannot have another cross domain local group as a member.


I add this domain local group to the local admin group for all workstations, along with other local groups on my SCCM server.  Do the rules change when we're talking about a DC, or local groups on a DC?
0
 
McKnifeCommented:
0
 
RhoSysAdminAuthor Commented:
But it's the same domain.  We're a one domain shop.  I tried adding the domain local group without the domain in the name ("IT Service Desk") and got the same error.

Fyi, I'm unable to add groups nor users via GPO preferences to this Server 2008 R2 DC.
0
 
McKnifeCommented:
? So there is something else going on that's much more serious.
Sorry, this one you will have to sort out by yourself, or maybe open a second question.
0
 
RhoSysAdminAuthor Commented:
Moved on to more import things.
0
 
RhoSysAdminAuthor Commented:
No full solution found.  closing question.
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 9
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now