5

I would like to grant Read-Access to event logs on all my domain controllers, ideally at a domain level using GPO. I would like members of a group to be able to view the Application Log, the System Log, and several logs in "Application and Services logs" such as "Directory Service" and "File Replication Service." What would be the best strategy of going about this?

Please note that most of my Domain Controllers are 2008 R2

Andy Schneider
  • 1,533
  • 5
  • 19
  • 28

2 Answers2

3

It's definitely feasible, depending on if you're running Server 2003 SP1 and newer or not. If so you can modify some registry settings that allow specific access to Event viewer as well as apply local GPO settings for users.

Microsoft has a Document Here out there showing the steps to take to do exactly what you want to do.

Split71
  • 548
  • 4
  • 9
  • I tried adding the registry value HKLM\System\CurrentControlSet\services\eventlog\System\CustomSD and added in my SDDL string, (A;;0x1;;;S-1-5-21-896847735-2360946534-3325243356-1109), but I cannot get it to work. do you know if this works on a 2008R2 Domain Controller? – Andy Schneider Jan 05 '12 at 18:07
  • Look at the bottom of this article for trying the wevtutil.exe utility for ACL modifications within 2008 R2 http://blogs.msdn.com/b/ericfitz/archive/2006/03/01/541462.aspx This may or may not work for you, and I can't be 100% because i haven't had to do it within 2008 R2. – Split71 Jan 05 '12 at 19:02
2

There is a built in group for just this purpose. Event Log Readers. Add users to the group that you want to have read access to the logs. You can definitely do this via GPO. You can modify the Default Domain Controllers Policy (or create one at the same level) if you want it to only apply to your DCs. You want to update the Event Log Readers group with the users you want to be able to read event logs on your DCs.

enter image description here

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • There are no Local users and Groups on Domain Controllers. There is a "Event Log Reader" in the Builtin Container in AD but that group doesn't have access to the AD specific logs – Andy Schneider Jan 04 '12 at 21:02
  • 1
    I got this working by adding users to Event Log Readers which is in the in Builtin container in AD, not in Local users and groups. Not sure why it failed the first time. – Andy Schneider Jan 06 '12 at 20:17