Solved

Event Log Reader for 2008 Domain Controller

Posted on 2013-05-16
19
4,059 Views
Last Modified: 2014-02-02
I'm trying to grant read access to the event logs of our Windows 2008 domain controller using the Event Log Reader built-in security group and Group Policy, according to

http://serverfault.com/questions/346625/is-it-possible-to-grant-read-only-access-to-all-event-logs-on-domain-controllers

However, this is not working.  At first I thought it was a firewall issue.  I enabled inbound rule

     "Remote Event Log Management (RPC)"

which did not fix it.  My test user gets the following error when trying to access the event logs via the Event Viewer:

     "Event Viewer cannot open the event log or custom view. Verify that Event Log
      service is running or query is too long. Access is denied (5)"

The numerous references I've found to the "Event Log Readers" group don't mention any additional required steps.  I've confirmed with the GPMC Group Policy Results wizard that the policy setting is getting set.

Does anyone know what the missing step(s) are I need to do?
0
Comment
Question by:RhoSysAdmin
  • 9
  • 8
19 Comments
 
LVL 53

Expert Comment

by:McKnife
ID: 39172809
You would not even need to be member in that group as long as your account has admin group membership at the server. We use this and we had to enable a few things at the server, let me see... the plug and play service it was, I think.
0
 

Author Comment

by:RhoSysAdmin
ID: 39198193
I can tell you the "Event Log Readers" group membership via GPO has worked for all my other Windows 2008 servers, so there's clearly an additional step for DC's that I'm missing.
0
 
LVL 36

Expert Comment

by:Jian An Lim
ID: 39198217
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39198594
I am not saying that this is NOT working. I am saying that mere admin rights would also be enough AND that the service "plug and play" needs to be started at the server.

Please check both and give feedback on both.
0
 

Author Comment

by:RhoSysAdmin
ID: 39199229
The PnP service is set to automatic and it's started.

I don't doubt this would work fine if I gave the user(s) admin rights to my DC, but that's too big a security risk for my liking.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39199565
Hi again.

Just got it to work from win8 to 2012 server (the DC). Simply use the firewall exception called "Remote eventlog management" at the server. I guess it will be the same at 2008 R2.
0
 

Author Comment

by:RhoSysAdmin
ID: 39203276
I'm still getting an access denied message.  Attached is a screenshot of what we're seeing.
denied.png
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39203834
Works for me, just tried it on 2008 R2.
If you are doing just the same: adding your user to the group "eventlog readers" right at the server, making a firewall-exception for remote eventlog management, then it must work, we have nothing else configured, something odd must be going on.
So please double check. I get exactly your message if I am not member of the group. Are you sure you added yourself at the right server?
0
 

Author Comment

by:RhoSysAdmin
ID: 39205054
Well, I apparently have a GPO problem.  I run the Group Policy Results wiz from GPMC and it shows the group membership for "Events Log Reader".  I run gpresult on my DC and it shows me my change to the "Events Log Readers" group.

But when I run net localgroup "Events Log Readers" on the DC, it doesn't show me any members, which jives with my end result.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 53

Expert Comment

by:McKnife
ID: 39205138
Now you know the cause. Put him in manually. If that is not sufficient, please specify what you did at GPO level. I would use restricted groups for this (another GPO feature).
0
 

Author Comment

by:RhoSysAdmin
ID: 39205154
Upon further review, we see the following error in the DC's system event log:

      Log Name:      System
      Source:        Microsoft-Windows-DistributedCOM
      Date:          5/29/2013 12:12:06 PM
      Event ID:      10016
      Task Category: None
      Level:         Error
      Keywords:      Classic
      User:          role_servdesk
      Computer:      xxxx.xxxx.xxxx.com
      Description:
      The application-specific permission settings do not grant Remote Activation permission for the COM Server application with CLSID
      {03837521-098B-11D8-9414-505054503030}
       and APPID
      {03837503-098B-11D8-9414-505054503030}
       to the user role_servdesk SID (S-1-5-21-1777997229-774907200-2146756953-10610) from address 10.10.20.57. This security permission can be modified using the Component Services administrative tool.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39205173
I see no connection.
0
 

Author Comment

by:RhoSysAdmin
ID: 39205230
So I found that my GPO is trying to apply, but I'm violating some group rule:

net localgroup "Event Log Readers" /add "xxx\IT Service Desk"
System error 8520 has occurred.

A local group cannot have another cross domain local group as a member.


I add this domain local group to the local admin group for all workstations, along with other local groups on my SCCM server.  Do the rules change when we're talking about a DC, or local groups on a DC?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39205259
0
 

Author Comment

by:RhoSysAdmin
ID: 39205313
But it's the same domain.  We're a one domain shop.  I tried adding the domain local group without the domain in the name ("IT Service Desk") and got the same error.

Fyi, I'm unable to add groups nor users via GPO preferences to this Server 2008 R2 DC.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39206949
? So there is something else going on that's much more serious.
Sorry, this one you will have to sort out by yourself, or maybe open a second question.
0
 

Accepted Solution

by:
RhoSysAdmin earned 0 total points
ID: 39814967
Moved on to more import things.
0
 

Author Closing Comment

by:RhoSysAdmin
ID: 39827445
No full solution found.  closing question.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now