How to give Read-only access to Event logs to particular users

Sometimes it is necessary to permit certain groups of people access to event logs on domain controllers or other servers in the domain. The most common request is read-only access to various event logs to enable delegated administrators monitor the logs. A good example is giving DNSAdmins read-only access to the DNS event logs.

The process is very cryptic and involves modification of some registry keys. It is documented in the below mentioned KB articles:

http://support.microsoft.com/?id=323076
How to set event log security locally or by using Group Policy in Windows Server 2003
http://support.microsoft.com/kb/842209/en-us
You receive an "Access is denied" error message when you try to access an event log on a Windows Server 2003-based computer or on a Windows 2000-based computer

The default ACLs for each event log is below, which you need to start with as your base then add whatever additional ACLs you want:

Application Log:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)

Directory Services:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)

DNS Service:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)

File Replication Service:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)

Security Event Log:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)

System Event Log:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x1;;;S-1-5-3)(A;;0x2;;;NS)

To add more groups or users to the ACL list, you first need to determine the SID of the user or group. It should start with an "S" and be quite long, such as S-1-5-21-702074188-2833732907-241959117-48998. You can use LDP or other methods to find the SID.

The SDDL syntax for adding read-only access to any of the logs above is:

(A;;0x1;;;<Insert SID here>), for example: (A;;0x1;;;S-1-5-21-702074188-2833732907-241959117-48998)

For the security event log the final ACL would look like:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;S-1-5-21-702074188-2833732907-241959117-48998)

Just cut and paste this into the GPMC for the right event log, and viola! Instant read-only access is granted to a specific user or group

————– End of Document —————–

Tags: Windows XP, Windows Server 2000, Windows Server 2003

Published Date: 20070829

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: