Granting permissions to security logs

[Guest]

Does anyone know how to grant access to a Windows 2000 server AD Domain
controller security log - without giving the users the right to purge, etc?

 

[Curtis Koenig [MSFT]]

So you have a couple of choices, the one with the most security is that you
dump the log (in either EVT or TXT format) and then give it to the person
to review offline. The EVT file will only show SIDS for users and objects
if the computer viewing the files does not have acces to your domain (this
translation is done by event viewer on the fly). If you dumpt in TXT format
it dumps the friendly names.

Second option is to grant rights to right to the user to "Manage auditing
and security log. This lets them do what they want in terms of viewing but
they can also delete which you don't want, these roles are not seperable so
if you get read you get edit as well as other rights.

For 2003 this gets much easier (sort of) as you can use SDDL to grant only
read access:
323076 How to set event log security locally or by using Group Policy in
http://support.microsoft.com/?id=323076

--
Curtis Koenig
Security Support Engineer
Product Support Services, Security Team
MCSE, MCSES, CISSP

This posting is provided "AS IS" with no warranties and confers no rights.
Please reply to the newsgroup so that others may benefit. Thanks!

--------------------

 

[Guest]

Thanks, We ended up granting the manage and audit security log via group
policy. However, we did some testing and no one with ou admin only privs was
able to delete or modify the logs. The could save a copy to their hard drive
but that was it. Otherwise it said access was denied if they tried deleting
the logs