Solved

SDDL to allow only a single group permission to clear a log.

Posted on 2014-04-14
1
444 Views
Last Modified: 2014-04-14
I need to set permissions on logs so that only a particular group can clear them.
They do not want local admins being able to clear logs.
This is the string that I am using...

O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x1;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x5;;;S-1-5-21-420750453-732723933-745807249-1955115)

I've even tried...

O:BAG:SYD:(D;;0x4;;;BA)(A;;0xf0005;;;SY)(A;;0x1;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x5;;;S-1-5-21-420750453-732723933-745807249-1955115)

I'm applying this to a test machine using local group policy.
I've verified its being applied as listed by using RSOP.msc.
I've checked to ensure the test user isn't in the log-clearing group.
The log-clearing group only contains users and no groups and I've verified the SID.
Yet, members of the local admin group are still able to clear the log.

What am I missing?
Also, with SDDL what the difference between 0xf0005 and 0x5? I see it used both ways.
I've tried with quotes and without, neither generate an error when using GPUPDATE /force.

Thanks in Advance.

David K.
0
Comment
Question by:WaywardS0n
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 54

Accepted Solution

by:
McKnife earned 500 total points
ID: 39999331
Hi.

You cannot set limits on admins. They can undo/reset /circumvent all of them. So you will have to rely on auditing or remove admin rights.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question