Share via

How to Provide Access to Event Log Access by Remote to Delegated Users and Groups

  • Article

 

Step 1: Enable Setting in Registry and GPO

Open sceregvl.in from C:\Windows\inf and Add below Lines in

Register Registry Values

MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD,1,%AppCustomSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD,1,%SecCustomSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD,1,%SysCustomSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\Directory Service\CustomSD,1,%DSCustomSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\DNS Server\CustomSD,1,%DNSCustomSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\File Replication Service\CustomSD,1,%FRSCustomSD%,2

Strings

;================================ Event Log Settings ====================================

AppCustomSD="Eventlog:Security descriptor for Application event log"

SecCustomSD="Eventlog:Security descriptor for Security event log"

SysCustomSD="Eventlog:Security descriptor for System event log"

DSCustomSD="Eventlog:Security descriptor for Directory Service event log"

DNSCustomSD="Eventlog:Security descriptor for DNS Server event log"

FRSCustomSD="Eventlog: Security descriptor for File Replication Service event log"

 

After adding above settings to the Sceregvl.inf in the %Windir%\Inf . Click File > Save.

Then Start -> Run _-> CMD  and then type : regsvr32  scecli.dll as shown below.

 

Step 2: Create a Delegation Group and find its SID

 Create a Group to which the Remote access to Eventlog must be provided using Active Directory Users and Computer MMC Console.Example group : Global-RemoteLogsAccess

 Issue the Command: dsquery group -name Global-RemoteLogsAccess | dsget group –sid

 Above command will result the SID as above :ex :  S-1-5-21-1458493625-888593626-1103064490-1605

 

Step 3: Edit the Group Policy

Open GPMC on a Domain Controller, Navigate to the Domain\Domain Controller OU  and Edit the TRW Default DC Policy

And then Navigate to Computer Settings -> Windows Settings -> Local Policies -> Security Options

 

Step 4: Enter SDDL for Event log Delegation

By default to allow access to Buitin Account we must enter : O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA)

The above SDDL is to reinstate the permissions for the builtin users account in Windows eg: Server Operators etc.

As we like to delegate the permission to the Group : Global-RemoteLogsAccess and remember we have the SID of this Group : S-1-5-21-1458493625-888593626-1103064490-1605

A=Allow Access

0x1= Read Access

0x2=Write Access

0x4=Clear Access

The SDDL will be: (A;;0x1;;;S-1-5-21-1458493625-888593626-1103064490-1605)

As we need to retain the permissions for the built-in accounts we must append the SDDL and it will be as:

**O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-21-1458493625-888593626-1103064490-1605) 

The above SDDL will set on Event log Security Setting on GPO for all the Event log settings: Application, Directory Server, FRS, Security, System and DNS**

Step 5 : Verify Access

Create a New Test User and add the user to Group: ad-dc-remotelogs

Login to a Client or a Member Server with the User Account and run GPUPDATE

Then Start -> Run-> Compmgmt.msc.

Once the Console is Open Right Click on Computer Management and click connect to Computer and specify the Domain Controller name you wish to.

Remotely Viewe Event Logs