Solved

SDDL to allow only a single group permission to clear a log.

Posted on 2014-04-14
1
436 Views
Last Modified: 2014-04-14
I need to set permissions on logs so that only a particular group can clear them.
They do not want local admins being able to clear logs.
This is the string that I am using...

O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x1;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x5;;;S-1-5-21-420750453-732723933-745807249-1955115)

I've even tried...

O:BAG:SYD:(D;;0x4;;;BA)(A;;0xf0005;;;SY)(A;;0x1;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x5;;;S-1-5-21-420750453-732723933-745807249-1955115)

I'm applying this to a test machine using local group policy.
I've verified its being applied as listed by using RSOP.msc.
I've checked to ensure the test user isn't in the log-clearing group.
The log-clearing group only contains users and no groups and I've verified the SID.
Yet, members of the local admin group are still able to clear the log.

What am I missing?
Also, with SDDL what the difference between 0xf0005 and 0x5? I see it used both ways.
I've tried with quotes and without, neither generate an error when using GPUPDATE /force.

Thanks in Advance.

David K.
0
Comment
Question by:WaywardS0n
1 Comment
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 39999331
Hi.

You cannot set limits on admins. They can undo/reset /circumvent all of them. So you will have to rely on auditing or remove admin rights.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now