Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Event Log Reader for 2008 Domain Controller

Posted on 2013-05-16
19
Medium Priority
?
4,971 Views
Last Modified: 2014-02-02
I'm trying to grant read access to the event logs of our Windows 2008 domain controller using the Event Log Reader built-in security group and Group Policy, according to

http://serverfault.com/questions/346625/is-it-possible-to-grant-read-only-access-to-all-event-logs-on-domain-controllers

However, this is not working.  At first I thought it was a firewall issue.  I enabled inbound rule

     "Remote Event Log Management (RPC)"

which did not fix it.  My test user gets the following error when trying to access the event logs via the Event Viewer:

     "Event Viewer cannot open the event log or custom view. Verify that Event Log
      service is running or query is too long. Access is denied (5)"

The numerous references I've found to the "Event Log Readers" group don't mention any additional required steps.  I've confirmed with the GPMC Group Policy Results wizard that the policy setting is getting set.

Does anyone know what the missing step(s) are I need to do?
0
Comment
Question by:RhoSysAdmin
  • 9
  • 8
19 Comments
 
LVL 57

Expert Comment

by:McKnife
ID: 39172809
You would not even need to be member in that group as long as your account has admin group membership at the server. We use this and we had to enable a few things at the server, let me see... the plug and play service it was, I think.
0
 

Author Comment

by:RhoSysAdmin
ID: 39198193
I can tell you the "Event Log Readers" group membership via GPO has worked for all my other Windows 2008 servers, so there's clearly an additional step for DC's that I'm missing.
0
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 39198217
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
LVL 57

Expert Comment

by:McKnife
ID: 39198594
I am not saying that this is NOT working. I am saying that mere admin rights would also be enough AND that the service "plug and play" needs to be started at the server.

Please check both and give feedback on both.
0
 

Author Comment

by:RhoSysAdmin
ID: 39199229
The PnP service is set to automatic and it's started.

I don't doubt this would work fine if I gave the user(s) admin rights to my DC, but that's too big a security risk for my liking.
0
 
LVL 57

Expert Comment

by:McKnife
ID: 39199565
Hi again.

Just got it to work from win8 to 2012 server (the DC). Simply use the firewall exception called "Remote eventlog management" at the server. I guess it will be the same at 2008 R2.
0
 

Author Comment

by:RhoSysAdmin
ID: 39203276
I'm still getting an access denied message.  Attached is a screenshot of what we're seeing.
denied.png
0
 
LVL 57

Expert Comment

by:McKnife
ID: 39203834
Works for me, just tried it on 2008 R2.
If you are doing just the same: adding your user to the group "eventlog readers" right at the server, making a firewall-exception for remote eventlog management, then it must work, we have nothing else configured, something odd must be going on.
So please double check. I get exactly your message if I am not member of the group. Are you sure you added yourself at the right server?
0
 

Author Comment

by:RhoSysAdmin
ID: 39205054
Well, I apparently have a GPO problem.  I run the Group Policy Results wiz from GPMC and it shows the group membership for "Events Log Reader".  I run gpresult on my DC and it shows me my change to the "Events Log Readers" group.

But when I run net localgroup "Events Log Readers" on the DC, it doesn't show me any members, which jives with my end result.
0
 
LVL 57

Expert Comment

by:McKnife
ID: 39205138
Now you know the cause. Put him in manually. If that is not sufficient, please specify what you did at GPO level. I would use restricted groups for this (another GPO feature).
0
 

Author Comment

by:RhoSysAdmin
ID: 39205154
Upon further review, we see the following error in the DC's system event log:

      Log Name:      System
      Source:        Microsoft-Windows-DistributedCOM
      Date:          5/29/2013 12:12:06 PM
      Event ID:      10016
      Task Category: None
      Level:         Error
      Keywords:      Classic
      User:          role_servdesk
      Computer:      xxxx.xxxx.xxxx.com
      Description:
      The application-specific permission settings do not grant Remote Activation permission for the COM Server application with CLSID
      {03837521-098B-11D8-9414-505054503030}
       and APPID
      {03837503-098B-11D8-9414-505054503030}
       to the user role_servdesk SID (S-1-5-21-1777997229-774907200-2146756953-10610) from address 10.10.20.57. This security permission can be modified using the Component Services administrative tool.
0
 
LVL 57

Expert Comment

by:McKnife
ID: 39205173
I see no connection.
0
 

Author Comment

by:RhoSysAdmin
ID: 39205230
So I found that my GPO is trying to apply, but I'm violating some group rule:

net localgroup "Event Log Readers" /add "xxx\IT Service Desk"
System error 8520 has occurred.

A local group cannot have another cross domain local group as a member.


I add this domain local group to the local admin group for all workstations, along with other local groups on my SCCM server.  Do the rules change when we're talking about a DC, or local groups on a DC?
0
 
LVL 57

Expert Comment

by:McKnife
ID: 39205259
0
 

Author Comment

by:RhoSysAdmin
ID: 39205313
But it's the same domain.  We're a one domain shop.  I tried adding the domain local group without the domain in the name ("IT Service Desk") and got the same error.

Fyi, I'm unable to add groups nor users via GPO preferences to this Server 2008 R2 DC.
0
 
LVL 57

Expert Comment

by:McKnife
ID: 39206949
? So there is something else going on that's much more serious.
Sorry, this one you will have to sort out by yourself, or maybe open a second question.
0
 

Accepted Solution

by:
RhoSysAdmin earned 0 total points
ID: 39814967
Moved on to more import things.
0
 

Author Closing Comment

by:RhoSysAdmin
ID: 39827445
No full solution found.  closing question.
0

Featured Post

WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question