• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 478
  • Last Modified:

SDDL to allow only a single group permission to clear a log.

I need to set permissions on logs so that only a particular group can clear them.
They do not want local admins being able to clear logs.
This is the string that I am using...


I've even tried...


I'm applying this to a test machine using local group policy.
I've verified its being applied as listed by using RSOP.msc.
I've checked to ensure the test user isn't in the log-clearing group.
The log-clearing group only contains users and no groups and I've verified the SID.
Yet, members of the local admin group are still able to clear the log.

What am I missing?
Also, with SDDL what the difference between 0xf0005 and 0x5? I see it used both ways.
I've tried with quotes and without, neither generate an error when using GPUPDATE /force.

Thanks in Advance.

David K.
1 Solution

You cannot set limits on admins. They can undo/reset /circumvent all of them. So you will have to rely on auditing or remove admin rights.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now