locked
Admin privileges but without access to Event Viewer/ Logs RRS feed

  • Question

  • Hello,

    We need to create a security group to satisfy the requirements below

    The requirement are:

    1.  Create a Security Group with Administrator Privileges but without Access to Event Viewer.
    2.  Create a Security Group with Administrator Privileges can access Event Viewer but cannot Delete Event Viewer Logs.

    how do we do this?

    Would we be just using built in Groups or should we try tweaking Group Policies? 

    Please help.

    Thank you 
    Sunday, July 1, 2012 10:56 PM

Answers

All replies

  • Are you talking about domain admin rights?  A domain admin can do anything and you can't limit their access.  The rule of thumb there is to limit admins.

    There is the event log readers group that the DS team discussed here   http://blogs.technet.com/b/askds/archive/2011/10/28/friday-mail-sack-they-pull-me-back-in-edition.aspx#event 

    The event log readers group will not meet either of your requirements 100% but could be a starting point for #2.

    Thanks

    Mike


    http://adisfun.blogspot.com
    Follow @mekline

    Monday, July 2, 2012 12:01 AM
  • How have you assigned admin Privileges to Security groups can you elaborate the same.However you can refer below link to to provide read access to event logs on DC.

    Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008(DC)
    http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administrators-permission-to-read-event-logs-windows-2003-and-windows-2008.aspx
    http://www.chrisse.se/MAQB.asp?ID=58

    The “Event Log Readers” group is not available in Windows Server 2003.However if you have Win2008 DC you can easily provide read access to eventlog by adding users/groups in Built in "Event Log Readers group".

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.




    Monday, July 2, 2012 3:58 AM
  • Yes sir, on the two Security Group requirements both are members of Domain Admins or intended to be in that account privilege.

    1.  Create a Security Group with Domain Administrator Privilege but without Access to Event Viewer.
    - They have to be denied to access Event Viewer or denied to view Logs. Is this attainable sir? 

    2. Solved thanks sir Mike, and sir Sandesh.
    Monday, July 2, 2012 5:20 AM
  • If both are member of domain admin group then it is difficult to achieve the same.But why do you want multiple users to have access to event log of DC normally administrators and if required junior administrator should have access to DC event log.

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, July 2, 2012 5:42 AM
  • Hello,

    you can NOT restrict domain admins from any admin tasks, whatever you will configure the doamin admins are able to revert the settings in their own domain.

    So either use elevated permissions with advanced security configuration for all required settings/attribubtes/NTFS settings or accept that the are able to read and delete the event viewer logs.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Monday, July 2, 2012 6:35 AM
  • I agree, you can't restrict domain admin for accessing or modifying anything in the single forest/domain.Its not even a correct configuration to have too many domain admins in the domain. Just to allow read access of the event log, you don't need domain admin right, but proper way to achieve this is delegation suggested by others.

    http://www.chrisse.se/MAQB.asp?ID=58


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, July 2, 2012 9:13 AM
  • Yes sir, on the two Security Group requirements both are members of Domain Admins or intended to be in that account privilege.

    1.  Create a Security Group with Domain Administrator Privilege but without Access to Event Viewer.
    - They have to be denied to access Event Viewer or denied to view Logs. Is this attainable sir? 

    2. Solved thanks sir Mike, and sir Sandesh.

    Unfortunately you won't be able to accomplish #1,  the thing to do there is limit domain admins.  I'm currently going through the same fight at work with too many admins...large federal agency.

    Thanks

    Mike


    http://adisfun.blogspot.com
    Follow @mekline

    Monday, July 2, 2012 11:22 AM
  • Thanks sir Mike, sir Awinish, sir Meinolf, sir Sandesh.
    Thursday, July 5, 2012 1:16 AM