SDDL to allow only a single group permission to clear a log.

I need to set permissions on logs so that only a particular group can clear them.
They do not want local admins being able to clear logs.
This is the string that I am using...

O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x1;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x5;;;S-1-5-21-420750453-732723933-745807249-1955115)

I've even tried...

O:BAG:SYD:(D;;0x4;;;BA)(A;;0xf0005;;;SY)(A;;0x1;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x5;;;S-1-5-21-420750453-732723933-745807249-1955115)

I'm applying this to a test machine using local group policy.
I've verified its being applied as listed by using RSOP.msc.
I've checked to ensure the test user isn't in the log-clearing group.
The log-clearing group only contains users and no groups and I've verified the SID.
Yet, members of the local admin group are still able to clear the log.

What am I missing?
Also, with SDDL what the difference between 0xf0005 and 0x5? I see it used both ways.
I've tried with quotes and without, neither generate an error when using GPUPDATE /force.

Thanks in Advance.

David K.
WaywardS0nAsked:
Who is Participating?
 
McKnifeConnect With a Mentor Commented:
Hi.

You cannot set limits on admins. They can undo/reset /circumvent all of them. So you will have to rely on auditing or remove admin rights.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.