Sign in with
Sign up | Sign in
Your question

Granting permissions to security logs

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
February 22, 2005 2:03:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Does anyone know how to grant access to a Windows 2000 server AD Domain
controller security log - without giving the users the right to purge, etc?
Anonymous
a b 8 Security
March 16, 2005 1:46:29 AM

Archived from groups: microsoft.public.win2000.security (More info?)

So you have a couple of choices, the one with the most security is that you
dump the log (in either EVT or TXT format) and then give it to the person
to review offline. The EVT file will only show SIDS for users and objects
if the computer viewing the files does not have acces to your domain (this
translation is done by event viewer on the fly). If you dumpt in TXT format
it dumps the friendly names.

Second option is to grant rights to right to the user to "Manage auditing
and security log. This lets them do what they want in terms of viewing but
they can also delete which you don't want, these roles are not seperable so
if you get read you get edit as well as other rights.

For 2003 this gets much easier (sort of) as you can use SDDL to grant only
read access:
323076 How to set event log security locally or by using Group Policy in
http://support.microsoft.com/?id=323076

--
Curtis Koenig
Security Support Engineer
Product Support Services, Security Team
MCSE, MCSES, CISSP

This posting is provided "AS IS" with no warranties and confers no rights.
Please reply to the newsgroup so that others may benefit. Thanks!

--------------------
>From: "=?Utf-8?B?cGlnc2tpbg==?=" <pigskin@discussions.microsoft.com>
>Subject: Granting permissions to security logs
>Date: Tue, 22 Feb 2005 11:03:02 -0800
>
>Does anyone know how to grant access to a Windows 2000 server AD Domain
>controller security log - without giving the users the right to purge, etc?
>
Anonymous
a b 8 Security
March 16, 2005 7:15:05 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks, We ended up granting the manage and audit security log via group
policy. However, we did some testing and no one with ou admin only privs was
able to delete or modify the logs. The could save a copy to their hard drive
but that was it. Otherwise it said access was denied if they tried deleting
the logs

"Curtis Koenig [MSFT]" wrote:

> So you have a couple of choices, the one with the most security is that you
> dump the log (in either EVT or TXT format) and then give it to the person
> to review offline. The EVT file will only show SIDS for users and objects
> if the computer viewing the files does not have acces to your domain (this
> translation is done by event viewer on the fly). If you dumpt in TXT format
> it dumps the friendly names.
>
> Second option is to grant rights to right to the user to "Manage auditing
> and security log. This lets them do what they want in terms of viewing but
> they can also delete which you don't want, these roles are not seperable so
> if you get read you get edit as well as other rights.
>
> For 2003 this gets much easier (sort of) as you can use SDDL to grant only
> read access:
> 323076 How to set event log security locally or by using Group Policy in
> http://support.microsoft.com/?id=323076
>
> --
> Curtis Koenig
> Security Support Engineer
> Product Support Services, Security Team
> MCSE, MCSES, CISSP
>
> This posting is provided "AS IS" with no warranties and confers no rights.
> Please reply to the newsgroup so that others may benefit. Thanks!
>
> --------------------
> >From: "=?Utf-8?B?cGlnc2tpbg==?=" <pigskin@discussions.microsoft.com>
> >Subject: Granting permissions to security logs
> >Date: Tue, 22 Feb 2005 11:03:02 -0800
> >
> >Does anyone know how to grant access to a Windows 2000 server AD Domain
> >controller security log - without giving the users the right to purge, etc?
> >
>
>
!