Solved

SDDL to allow only a single group permission to clear a log.

Posted on 2014-04-14
1
432 Views
Last Modified: 2014-04-14
I need to set permissions on logs so that only a particular group can clear them.
They do not want local admins being able to clear logs.
This is the string that I am using...

O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x1;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x5;;;S-1-5-21-420750453-732723933-745807249-1955115)

I've even tried...

O:BAG:SYD:(D;;0x4;;;BA)(A;;0xf0005;;;SY)(A;;0x1;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x5;;;S-1-5-21-420750453-732723933-745807249-1955115)

I'm applying this to a test machine using local group policy.
I've verified its being applied as listed by using RSOP.msc.
I've checked to ensure the test user isn't in the log-clearing group.
The log-clearing group only contains users and no groups and I've verified the SID.
Yet, members of the local admin group are still able to clear the log.

What am I missing?
Also, with SDDL what the difference between 0xf0005 and 0x5? I see it used both ways.
I've tried with quotes and without, neither generate an error when using GPUPDATE /force.

Thanks in Advance.

David K.
0
Comment
Question by:WaywardS0n
1 Comment
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
ID: 39999331
Hi.

You cannot set limits on admins. They can undo/reset /circumvent all of them. So you will have to rely on auditing or remove admin rights.
0

Featured Post

Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A procedure for exporting installed hotfix details of remote computers using powershell
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now