Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008

  • Article

Apologies for not blogging for sometime. I have been away on vacation, out of the country on training plus work commitments so add that up and it equals and enforced hiatus. Plus of course do not forget the Volcano :).

Well I am back now and have an interesting information around Event Log access and the way thing have changed in Windows 2008 . This comes out of some work I have been doing with my customer.

So if you want to give Non-Administrator users access remotely to Event logs if the Servers or Domain Controllers they are accessing are Windows 2003 follow the steps below.

I have extrapolated the information contained in the following two KBarticles. It is not easy as it is using service discretionary access control lists.

https://support.microsoft.com/kb/323076 plus https://support.microsoft.com/kb/914392  .

This works for both Domain Controllers and Member servers. Therefore when it talks in the body of the steps around Default Domain Group Policies , this can be supplanted with the relevant Group Policy object.

You will also need to download a Name to Sid type utility. Details of this here.

https://support.microsoft.com/kb/276208

There are others around externally and internally to Microsoft. The internal one would only be available to you if you raise a Premier Support Call as part of your premier contract if you have one.

Plus of course you have the Windows Sysinternals

https://technet.microsoft.com/en-us/sysinternals/bb897417.aspx 

As per the article follow the below steps;

Use Group Policy to Set Your Application and System Log Security for a Domain, Site, or Organizational Unit in Active Directory

Important: To view the group policy settings that are described in this article in  the Group Policy editor, first complete the following steps, and then continue to the "Use Group Policy to Set Your Application and System Log Security" section:

1. Use a text editor such as Notepad to open the Sceregvl.inf in the %Windir%\Inf

folder.

2. Add the following lines to the [Register Registry Values] section:

MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD,1,%AppCustomSD%,2 MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD,1,%SecCustomSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD,1,%SysCustomSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\Directory Service\CustomSD,1,%DSCustomSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\DNS Server\CustomSD,1,%DNSCustomSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\File Replication Service\CustomSD,1,%FRSCustomSD%,2

3. Add the following lines to the [Strings] section:

AppCustomSD="Eventlog:Security descriptor for Application event log"

SecCustomSD="Eventlog:Security descriptor for Security event log"

SysCustomSD="Eventlog:Security descriptor for System event log"

DSCustomSD="Eventlog:Security descriptor for Directory Service event log"

DNSCustomSD="Eventlog:Security descriptor for DNS Server event log"

FRSCustomSD="Eventlog: Security descriptor for File Replication Service event log"

4. Save the changes you made to the Sceregvl.inf file, and then run the regsvr32  scecli.dll command.

5. Start Gpedit.msc, and then double-click the following branches to expand them:

Computer Configuration Windows Settings Security Settings Local Policies Security Options

6. View the right panel to find the new "Eventlog" settings.

7. Open the relevant Policy for the member server. Open Computer Configuration -> Windows Settings  Security Settings  Local Policies  Security Options Look for Event Log settings

3) Use a  name2sid utilitily to find the SID of the group for which you want to give access to

the event viewer.

4) Open “Eventlog: Security descriptor for Application event log”. Click on Define

this policy setting.

Copy the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Directory

Service\CustomSD etc…

Copy the above value for each of the event logs (like application, system, security

etc…) & append respective event logs with (A;; 0x3;;;SID of the Group) in the above

policy

Here 0x3 indicates read & write privileges. The write privileges are required only

if the group needs to write events into the event logs (like an application service

using this user account)

Replace 0x3 with 0x1 - if this group needs only READ access to the event viewer

5) Run GPupdate

As an FYI see below for the explanation of the codes;

Replace 0x3 with 0x1 - If this group needs only READ access to the event viewer
5) Run GPupdate on the DC
Entry Meaning
O:BA Object owner is Built-in Admin (BA).
G:SY Primary group is System (SY).
D: This is a DACL, rather than an audit entry or SACL.
(D;;0xf0007;;;AN) Deny Anonymous (AN) all access.
(D;;0xf0007;;;BG) Deny Built-in Guests (BG) all access.
(A;;0xf0005;;;SY) Allow System Read and Clear, including DELETE, READ_CONTROL,
WRITE_DAC, and WRITE_OWNER (indicated by the 0xf0000).
(A;;0x7;;;BA) Allow Built-in Admin READ, WRITE and CLEAR.
(A;;0x7;;;SO) Allow Server Operators READ, WRITE and CLEAR.
(A;;0x3;;;IU) Allow Interactive Users READ and WRITE.
(A;;0x3;;;SU) Allow Service accounts READ and WRITE.
(A;;0x3;;;S-1-5-3) Allow Batch accounts (S-1-5-3) READ and WRITE.
The specific event log access mask bits are:
0x0001 ELF_LOGFILE_READ Permission to read log files.
0x0002 ELF_LOGFILE_WRITE Permission to write log files.

However for Windows 2008 Life gets much easier

Windows 2008 is much easier as long as you are giving the users and groups in question read access to all event logs. If that is the case just add them to the Built in Event Log Readers group.

However if you do not want to give access to ALL event logs you still have to resort to using SDDL

The location on the SDDL has changed in Windows 2008 and is no longer set it via the CustomSD in the registry. You now have to use the wevtutil utility .

For Example

If you need to define access to just the System event log on our Windows 2008 Server.

1. open the command prompt, and run the following command to dump out the SDDL for the System log out to a txt file.

wevtutil gl system > C:\temp\out.txt

2. Open the text file and copy out the channelAccess: entry

channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;AU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) )

3.  Copy the Interactive User (IU) rights and add your user or group  to them.

O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;AU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) (A;;0x1;;; S-1-5-3-3127463467463))

Last we need to apply the new SDDL. Just replace the O:BAG:XXXX with your SDDL String you created in the previous step.

wevtutil sl System /ca:O:BAG:XXXX

In addition you can remove access for the Event Log Readers group from event log in question by removing the (A;;0x1;;;S-1-5-32-573) entry from the respective log SDDL String.

Comments

  • Anonymous
    January 01, 2003
    Hi. I have a requirement to set permissions on a custom event log ( one that is located under 'Application and Service logs' ), for a domain based service account to have full control while all other users to have read-only control, on a member server in my active directory domain. The domain controllers as well as the member server are running Windows 2008 R2. I have been able to modify the 'sceregvl.inf' to populate the security descriptors for the custom log. I need help is understanding and constructing the SD string that needs to be fed in as the value in the GPO entry for the newly created event log setting.

  • Anonymous
    January 01, 2003
    Hey guys ... i am  trying to do tha same however it is not working for .. i have group in a parent domain and i am trying to give permission on the domain controllers in the child domain not sure if it makes a difference ...please suggest... However i can see the SID added in CustomSD registry entry...

  • Anonymous
    January 01, 2003
    Also, when i navigate to 'HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlogApplication' i don't see a 'CustomSD' key/value under it for me to copy the value for reference.

  • Anonymous
    January 01, 2003
    No Problem glad I could help

  • Anonymous
    January 01, 2003
    Does this look right? HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlogApplicationCustomSD (A;;0x3;;;S-1-5-21-********)??  Is there a space between the word CustomSD and (??? I have added this to the SD for App Log.  When I check the event logs after a gpupdate and/or reboot, I am receiving access denied?

  • Anonymous
    January 01, 2003
    You can grant non-administrators rights to remotely view all or any combination of event logs (Application, Security, etc...) with System Frontier starting with v1.3. It will be out this week. http://systemfrontier.com. It works with every version of Windows starting with Windows 2003.

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    JL, Nice and helpful article. Thank you for the post :)

  • Anonymous
    January 01, 2003
    Thanks!

  • Anonymous
    November 02, 2010
    Hi, I executed this task successfully. Thanks a lot. Could you please walk me through the process of applying this setting for group containing a no. of users, instead of a particular user.

  • Anonymous
    January 10, 2011
    The comment has been removed

  • Anonymous
    March 22, 2011
    Nice Article and very helpful . This is a valid request which we get from site admins inorder to read the security logs to monitor logon events etc. Thanks again.

  • Anonymous
    November 04, 2011
    I get "access denied" when trying to save the changes. Everything is set so that I can make changes, but it doesn't let me.

  • Anonymous
    February 01, 2012
    I also cannot save the Sceregvl.inf on my 2008 R2 DC. And I wish someone would explain how to do this for the Security Event logs.  The SDDL format is not hex.

  • Anonymous
    March 27, 2012
    Help.. I am stuck! I am able to see the event log descriptor settings via local policy, but am missing a step to get them to show up in a domain group policy. I have a few dozen windows 2003 servers I need to apply this change to. Do I need to import the GPO setting somehow? Thanks!

  • Anonymous
    October 17, 2012
    Help.. I read the article and i understand all except how to add the string to the dword for example: Open the relevant Policy for the member server. Open Computer Configuration -> Windows Settings  Security Settings  Local Policies  Security Options Look for Event Log settings Open “Eventlog: Security descriptor for Application event log”. Click on Define this policy setting. Copy the following registry key: HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlogApplicationCustomSD so how do you append respective event logs with (A;; 0x3;;;SID of the Group) please provide an example of what the string should look like. Thank you

  • Anonymous
    October 17, 2012
    What he is saying is to copy the value in the registry key, append the code - (A;; 0x3;;;SID of the Group) - to what you get (e.g. in Notepad) and then paste it into your policy. Let me know if you need help, I'm happy to do a quick call if needed. Grant MG Technology Group

  • Anonymous
    November 19, 2012
    this doesn't seem to work for security log if the user is running at batch or as a service. i can take the same permissionset that works for reading SYSTEM and set it for SECURITY and yet it still will get an access denied error unless i add the user to localadmin.

  • Anonymous
    December 10, 2012
    You state that the built-in "Event Log Reader" group allows read access to ALL event logs, however  it doesn't allow a regular use to remotely access system/application event logs on other computers.

  • Anonymous
    April 25, 2013
    Hi.. i am trying log events from windows 7 to windows 2003/2008. It was working earlier but from few days, i could not see any log messages from windows 7 machines. when i checked the code, it says Reportevent (vb6) is failing. Can you tell me what are the permissions required to updated Windows 2003/2008 event log from Windows 7?

  • Anonymous
    September 24, 2013
    Is it required to restart server to take changes in effect ?

  • Anonymous
    October 28, 2013
    Can we see some working examples? I can't figure out the part:

  1. Open “Eventlog: Security descriptor for Application event log”. Click on Define this policy setting. Copy the following registry key: HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlogApplicationCustomSD HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlogDirectory ServiceCustomSD etc… Copy the above value for each of the event logs (like application, system, security etc…) & append respective event logs with (A;; 0x3;;;SID of the Group) in the above policy