• Status: Solved
  • Priority: Low
  • Security: Public
  • Views: 47
  • Last Modified:

how to give read only to event viewer logs on Domain controller to a service account

i would like to give read only on event viewer logs on all domain controller in order to monitor eventID. what is the best way without giving too much permission ?

we are running Windows 2012 R2 domain controller
0
Jimmy Wang
Asked:
Jimmy Wang
  • 6
  • 4
  • 2
  • +1
2 Solutions
 
RobertSystem AdminCommented:
Have you tried adding the users to the builtin group "Event log readers"?
0
 
Jimmy WangAuthor Commented:
I wasn't sure this "Event log readers" group include the domain controller access to read event viewer.  our procedure can change on the fly with production DCs and I don't have a test environment to test this.. can you confirm this is this does include domain controller not just member servers ?
0
 
RobertSystem AdminCommented:
Yes it should work as long as all your DC's are at least 2008 R2 I believe.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Jimmy WangAuthor Commented:
ok.. thanks for getting back to me. I will give that a try.  

I meant, we can't changes on the fly so I just need to confirm it.. but it does sound like it should..
0
 
LearnctxEngineerCommented:
i would like to give read only on event viewer logs on all domain controller in order to monitor eventID. what is the best way without giving too much permission ?

Event log forwarding to another host which the service account has access to. Or run an agent like SCOM/Splunk to export or alert on events as they are generated in real time.
0
 
Jimmy WangAuthor Commented:
tried with  "Event log readers" group didn't work to access domain controller event viewer.

Learnctx,
we not running SCOM here at our company. we are using WindSolar that is why we need to service account that can have access to event viewer.  any other method to give read only on domain controller to read event viewer permission ? any KB ?
0
 
RobertSystem AdminCommented:
here is another method provided in a TechNet blog.
https://blogs.technet.microsoft.com/janelewis/2010/04/30/giving-non-administrators-permission-to-read-event-logs-windows-2003-and-windows-2008/

I seen some articles indicating the the event log readers group don't work because of permissions on a registry key but I tested it on my environment and it worked with out any modifications.
0
 
Jimmy WangAuthor Commented:
Hi Robert,
thanks for the KB.. I assume this would also apply to Windows 2012 R2 domain controller or is there another link for windows 2012 DC's ?
0
 
LearnctxEngineerCommented:
any other method to give read only on domain controller to read event viewer permission ?

Of course, you can delegate the rights very easily, see the link that Robert has posted. Personally I do not give access to domain controllers for external sources. If you don't have SCOM there's the small guys version of event log collecting which is Event Log Forwarding. This comes built into windows and allows you to forward your logs from some or all of your devices to a central log collector server (or a series of log collector servers); see here. Personally I prefer SCOM, OMS, and Splunk but that is not an option for you.
0
 
RobertSystem AdminCommented:
Yes the steps for the article provides for 2008 should work for server 2012.
That said the process provided is basically manually assigning permissions that the event log readers group should already provide.
0
 
Jimmy WangAuthor Commented:
thanks Learnctx and Robert.
0
 
Jimmy WangAuthor Commented:
Thank You both.. ! much appreciated
0
 
PberSolutions ArchitectCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- Robert (https:#a42423617)
-- Learnctx (https:#a42424184)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Pber
Experts-Exchange Cleanup Volunteer
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

  • 6
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now