Monday, March 12, 2012 10:08 AM
I configured my Windows 2008 R2 machine the following way:
- Created a new non-privileged user
- Added this new user to "event log readers" group.
- Granted the user access to the Security Event Log (wevtutil gl security) or sddl in the registry as with Windows 2003 Server.
That all did the job, I can read the event logs including the descriptions.
Now I configured a second machine the same way, but this machine is a Windows 2008 Standard Enterprise server. The difference: On this machine my newly created user can read all the logs, but not the security event log descriptions:
As you see it sais "The description for Event ID...". This happens for every event. When I add this user to the "Administrators" group and also disable UAC I can read all the logs:
So what's the point? The settings allow me to see everything on the Windows 2008 R2 machine, but on the 'Standard' one it does not suffice to get the actual message text? Did I miss something?
Tuesday, March 13, 2012 8:20 AMModerator
Have you enabled auditing for security events on Windows 2008? We need enable security auditing at local group policy under the following path.
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\
In order to return a more detailed list of security-auditing event, please run the following command:
Wevtutil gp Microsoft-Windows-Security-Auditing /ge /gm:true
For detailed information about Security Auditing, please refer to the following articles:
Advanced Security Auditing in Windows 7 and Windows Server 2008 R2
Description of security events in Windows Vista and in Windows Server 2008
TechNet Community Support
- Marked As Answer by Aiden_CaoMicrosoft Contingent Staff, Moderator Thursday, March 22, 2012 1:25 AM