Thursday, November 13, 2008

Windows Server 2003 Event Log access

I've just spent about 2 hours messing about figuring out how to give non-admin users access over the network to the Event Logs on a Windows Server 2003 SP2 server. What fun hours they were too! Since I might never find this again, I thought I would report it...

This will allow Authenticated Users to read the Application and System logs - it is possible to put an AD SID instead of 'AU' to make it a lot more tied down.

Just enter the text '(A;;0x1;;;AU)' to the end of the string value 'CustomSD' in the following keys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System

1 comment:

  1. I've been mulling over various SDDL changes and this was to the point. Didn't know if it would help others, but I assigned AD users to a local group on the machine, then assign the SID of the group. To get the SID, use either the 'whoami /group /sid' (utility from MS) or WMIC: group list brief. Thanks. Sorry for going anonymous, but I short on time...

    ReplyDelete