• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3002
  • Last Modified:

Allow Non Administrator users to read Event Logs Windows 2003 and Windows 2008

We are trying to provide access to all server event logs within the domain to a single user account. Based on this article, all we need to do it add the account to the Built in Event Log Readers group in AD.


We did this and the error we receive is indicating Access is Denied (5). Any idea why this is not working and if there is something we have missed?
1 Solution
Please tell us how you Access the log: via remote mmc?
The Event Log Readers domain group does only apply to the Eventlogs of domain controllers. On every Windows 2008 (R2) server the Event Log Readers group is a local group. You have to add an AD group which contains this user (preferred) or directly the AD user to this local group.
On Windows 2003 there is actually no Event Log Readers group.
To make this work there a registry entry on each server has to be modified for each Eventlog. E.g. for the System Eventlog:
A SDDL string with the SID of the AD group (or user) has to be added to this string.

You can lookup the SID of a AD user or group via PsGetSid.
See also: http://technet.microsoft.com/en-us/sysinternals/bb897417
SandeshdubeySenior Server EngineerCommented:
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

dumamoAuthor Commented:
Sandeshdubey: You are aware I posted that exact article in my question right?

Thanks for the feedback zalazar. I will have use a GPO with preferences to populate the local group on servers and the reg entry on 2003.
You're welcome and thanks.
Good luck with the implementation.
dumamoAuthor Commented:
zalazar: I am having trouble constructing the SDDL string for a group. Can you assist?
Sure, what kind of trouble do you have ?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now