?
Solved

Event Log Reader for 2008 Domain Controller

Posted on 2013-05-16
19
Medium Priority
?
4,751 Views
Last Modified: 2014-02-02
I'm trying to grant read access to the event logs of our Windows 2008 domain controller using the Event Log Reader built-in security group and Group Policy, according to

http://serverfault.com/questions/346625/is-it-possible-to-grant-read-only-access-to-all-event-logs-on-domain-controllers

However, this is not working.  At first I thought it was a firewall issue.  I enabled inbound rule

     "Remote Event Log Management (RPC)"

which did not fix it.  My test user gets the following error when trying to access the event logs via the Event Viewer:

     "Event Viewer cannot open the event log or custom view. Verify that Event Log
      service is running or query is too long. Access is denied (5)"

The numerous references I've found to the "Event Log Readers" group don't mention any additional required steps.  I've confirmed with the GPMC Group Policy Results wizard that the policy setting is getting set.

Does anyone know what the missing step(s) are I need to do?
0
Comment
Question by:RhoSysAdmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
19 Comments
 
LVL 56

Expert Comment

by:McKnife
ID: 39172809
You would not even need to be member in that group as long as your account has admin group membership at the server. We use this and we had to enable a few things at the server, let me see... the plug and play service it was, I think.
0
 

Author Comment

by:RhoSysAdmin
ID: 39198193
I can tell you the "Event Log Readers" group membership via GPO has worked for all my other Windows 2008 servers, so there's clearly an additional step for DC's that I'm missing.
0
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 39198217
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 56

Expert Comment

by:McKnife
ID: 39198594
I am not saying that this is NOT working. I am saying that mere admin rights would also be enough AND that the service "plug and play" needs to be started at the server.

Please check both and give feedback on both.
0
 

Author Comment

by:RhoSysAdmin
ID: 39199229
The PnP service is set to automatic and it's started.

I don't doubt this would work fine if I gave the user(s) admin rights to my DC, but that's too big a security risk for my liking.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39199565
Hi again.

Just got it to work from win8 to 2012 server (the DC). Simply use the firewall exception called "Remote eventlog management" at the server. I guess it will be the same at 2008 R2.
0
 

Author Comment

by:RhoSysAdmin
ID: 39203276
I'm still getting an access denied message.  Attached is a screenshot of what we're seeing.
denied.png
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39203834
Works for me, just tried it on 2008 R2.
If you are doing just the same: adding your user to the group "eventlog readers" right at the server, making a firewall-exception for remote eventlog management, then it must work, we have nothing else configured, something odd must be going on.
So please double check. I get exactly your message if I am not member of the group. Are you sure you added yourself at the right server?
0
 

Author Comment

by:RhoSysAdmin
ID: 39205054
Well, I apparently have a GPO problem.  I run the Group Policy Results wiz from GPMC and it shows the group membership for "Events Log Reader".  I run gpresult on my DC and it shows me my change to the "Events Log Readers" group.

But when I run net localgroup "Events Log Readers" on the DC, it doesn't show me any members, which jives with my end result.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39205138
Now you know the cause. Put him in manually. If that is not sufficient, please specify what you did at GPO level. I would use restricted groups for this (another GPO feature).
0
 

Author Comment

by:RhoSysAdmin
ID: 39205154
Upon further review, we see the following error in the DC's system event log:

      Log Name:      System
      Source:        Microsoft-Windows-DistributedCOM
      Date:          5/29/2013 12:12:06 PM
      Event ID:      10016
      Task Category: None
      Level:         Error
      Keywords:      Classic
      User:          role_servdesk
      Computer:      xxxx.xxxx.xxxx.com
      Description:
      The application-specific permission settings do not grant Remote Activation permission for the COM Server application with CLSID
      {03837521-098B-11D8-9414-505054503030}
       and APPID
      {03837503-098B-11D8-9414-505054503030}
       to the user role_servdesk SID (S-1-5-21-1777997229-774907200-2146756953-10610) from address 10.10.20.57. This security permission can be modified using the Component Services administrative tool.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39205173
I see no connection.
0
 

Author Comment

by:RhoSysAdmin
ID: 39205230
So I found that my GPO is trying to apply, but I'm violating some group rule:

net localgroup "Event Log Readers" /add "xxx\IT Service Desk"
System error 8520 has occurred.

A local group cannot have another cross domain local group as a member.


I add this domain local group to the local admin group for all workstations, along with other local groups on my SCCM server.  Do the rules change when we're talking about a DC, or local groups on a DC?
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39205259
0
 

Author Comment

by:RhoSysAdmin
ID: 39205313
But it's the same domain.  We're a one domain shop.  I tried adding the domain local group without the domain in the name ("IT Service Desk") and got the same error.

Fyi, I'm unable to add groups nor users via GPO preferences to this Server 2008 R2 DC.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39206949
? So there is something else going on that's much more serious.
Sorry, this one you will have to sort out by yourself, or maybe open a second question.
0
 

Accepted Solution

by:
RhoSysAdmin earned 0 total points
ID: 39814967
Moved on to more import things.
0
 

Author Closing Comment

by:RhoSysAdmin
ID: 39827445
No full solution found.  closing question.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question