Allow Non Administrator users to read Event Logs Windows 2003 and Windows 2008

We are trying to provide access to all server event logs within the domain to a single user account. Based on this article, all we need to do it add the account to the Built in Event Log Readers group in AD.

We did this and the error we receive is indicating Access is Denied (5). Any idea why this is not working and if there is something we have missed?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Please tell us how you Access the log: via remote mmc?
The Event Log Readers domain group does only apply to the Eventlogs of domain controllers. On every Windows 2008 (R2) server the Event Log Readers group is a local group. You have to add an AD group which contains this user (preferred) or directly the AD user to this local group.
On Windows 2003 there is actually no Event Log Readers group.
To make this work there a registry entry on each server has to be modified for each Eventlog. E.g. for the System Eventlog:
A SDDL string with the SID of the AD group (or user) has to be added to this string.

You can lookup the SID of a AD user or group via PsGetSid.
See also:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SandeshdubeySenior Server EngineerCommented:
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

dumamoAuthor Commented:
Sandeshdubey: You are aware I posted that exact article in my question right?

Thanks for the feedback zalazar. I will have use a GPO with preferences to populate the local group on servers and the reg entry on 2003.
You're welcome and thanks.
Good luck with the implementation.
dumamoAuthor Commented:
zalazar: I am having trouble constructing the SDDL string for a group. Can you assist?
Sure, what kind of trouble do you have ?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.