Event Log Rights for Non-Administrators 2


Granting event log rights to non-administrators wsa challenging in Windows 2003, becomes easier in Windows 2008 (R2). However fine-tuned access still requires playing with Security Descriptors reading and writing.

Event Log Rights Case #1: Read Access only

For Windows 2008, If you just want to grant regular read access, the built-in “Event Log Readers” group is fine. Just put your user(s) into that group.

Event Log Rights Case #2: Read-Write (or other) Access

If you need to grant read/write access or grant access to other groups/users than the “Event Log Readers” you must create your own SDDL descriptor for each log you want to give access to.

Let’s take the example of the application log. To get the current list of authorized access you can type in the following command:

Alternatively you can get a XML output with:

The line which is of interest is channelAccess. By default, you get the following entry:

The S-1-5-32-573 represents the “Event Log Readers Group”, as mentioned in the well-known groups & users list, and 0x1 means it has read access only.

If you want to add a read/write access for one user or group, just get its SID and grant him the 0x3 right. To get the SID you can use pssid from Sysinternals or Get-ADUser / Get-ADGroup cmdlets in powershell:

Then use the wevtutil sl command and its /ca switch to override the channelAccess value:

Put everything on a single line! You can chheck the change has been made by re-issuing the gl switch.

Event Log Rights Case #3: Security Log case

If you ‘just’ need read and write rights on the security log, you could also assign the privilege ‘Managing and Auditing the Security log’. However this gives additional rights to the user, like setting the audit descriptors (Success, FAilure) on objects. That’s often a bit too much.


Leave a comment

Your email address will not be published. Required fields are marked *

2 thoughts on “Event Log Rights for Non-Administrators

  • Trevor Ketch

    Hello.

    I was not able to find an answer to my question on the internet.

    I am wondering if adding a user / group to “Event Log Readers” allows those users to view the event logs from all servers, including domain controllers and member servers?

    • Dimitri Post author

      “Event Log Readers” is not a domain group, it is a local group on each member server. If you’d like to grant a domain group or domain user the right to read events on every server in your domain, you should add this group/user to every “event log readers” group of every server. Fortunately you can do this with a “restricted group” GPO where you make mandatory some group membership. It is often use to define who is part of the local administrators group, but nothing restricts you to use it for that very specific group.