How Do I Provide Access To Security Logs in Domain controller?

Introduction

In this section we will learn how we can provide explicit read-only access to security log on a specific machine for a specific domain ID.

Method

Step 1: Login to the Domain Controller/ Machine on which the access needs to be granted.

Step 2 : Open registry editor, click “Start -> Run -> (type “regedit” in the Run box) -> Enter

Step 3:  After the “registry editor” opens navigate to “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD

Step 4: Find the SID of the user ID (who would be granted access) using PSGETSID tool.

Step 5:  Replace the existing CustomSD value with -> A;;0xf0003;;;<User ID SID>

Note: If the CustomSD key does not exist, create it. This should be of type REG_SZ (String). 

The new value is:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0xf0003;;;<User ID SID>)

For eg., if the SID of the user/group is S-1-5-21-2266724155-2204522482-4038965295-3673, then the value of the CustomSD key will be: 

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0xf0003;;;S-1-5-21-2266724155-2204522482-4038965295-3673)

But the best practice is to put a group SID and add user into that group.

Step 6: Exit “registry editor