1

I would like to setup the following audit scenario:
A large Active Directory domain is scattered among various phisical sites, each contained in its own organizational unit. The members of a non-administrative domain group must remotely access Event Logs on each computer of one site. No additional rights should be granted to the group other than those strictly necessary for performing the aforementioned task.

Domain version is 2003, with some 2008R2 servers.
I have looked through delegation wizards and Group Policies to no avail. Granting domain or local administrative rights is out of question, even if through restricted groups.
Global domain auditing must not be impacted nor it can be accessed in order to perform this task.

Please, Is such delegation possible? If yes, how is it deployed?

Thanks,
Regards

JOAT
  • 43
  • 6

1 Answers1

3

You can definitely do what you're looking for. It's just matter of modifying the default security descriptors on the specific log (or logs) you want to grant access to.

In Windows Server 2008 there is a built-in group "Event Log Readers", that can be used to grant other users or groups rights to read the event logs. This doesn't help you with Windows Server 2003. Be aware that there is a hotfix for a mistake in the groups.xml file that can cause Group Policy Preferences to fail to populate the "Event Log Readers" group. (I would use "Restricted Groups" policy, personally...)

You can also use the wevtutil command to modify the security descriptors on event logs in Windows Server 2008, too.

For your Windows 2003 machines (and Windows 2008 machines, if you want), each Event Log has configuration information stored in subkeys of HKLM\System\CurrentControlSet\Services\EventLog. To modify the default security descriptor for a given log, located the corresponding subkey, add a REG_SZ value named CustomSD, and specify the security descriptor in security descriptor definition language (SDDL) format. Microsoft's KB323076 describes the CustomSD value, and KB914392 describes SDDL notation (though it fails to mention the Read, Write, and Clear rights (which are described in the EventLog registry key reference).

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • That did it, thank you. On 2008 and 7 machines I granted membership to the group "Event Log Readers" through the restricted groups policy as per your instructions, then I could finally access the local logs. I still have to decide on 2003, as given the number of machines, permission changes would have to be scripted. Thanks a lot, that was quite important for my work. All the Best. – JOAT Apr 13 '13 at 21:09