How Do I Provide Access To Security Logs in Domain controller?
In this section we will learn how we can provide explicit read-only access to security log on a specific machine for a specific domain ID.
Step 1: Login to the Domain Controller/ Machine on which the access needs to be granted.
Step 2 : Open registry editor, click “Start -> Run -> (type “regedit” in the Run box) -> Enter”
Step 3: After the “registry editor” opens navigate to “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD”
Step 4: Find the SID of
the user ID (who would be granted access) using PSGETSID tool.
Step 5: Replace the existing
CustomSD value with -> A;;0xf0003;;;<User ID SID>
Note: If the CustomSD key does not exist, create it. This should be of type REG_SZ (String).
The new value is:
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0xf0003;;;<User ID SID>)
For eg., if the SID of the user/group is S-1-5-21-2266724155-2204522482-4038965295-3673, then the value of the CustomSD key will be:
But the best practice is to put a group SID and add user into that group.
Step 6: Exit “registry editor”