By default, only administrators can view security event log in a Windows Server 2003 or 2008. In this article I will show you how to grant permissions to other users or groups to view security log content in a server without admin permissions.
For Windows Server 2008:
Let me start with something easy. For windows 2008 servers, it is very straight forward. If you want to allow any user or group view security event log, just add them to “BUILT IN\Event Log Readers” group and the task is accomplished. If you want to view who all has access to a given event log, try the below command
wevtutil gl security
For Windows Server 2003:
Like Windows server 2008, there is no straightforward way in Windows Server 2003. We need to tweak registry entries a bit to get the desired results. In Windows 2003, security log permissions are stored in registry key in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD registry value. The data for this value will be in SDDL format (search for SDDL in MSDN to know more). We need to modify the data of this value to grant permissions to new users or groups.
Now I will show two cases of granting permissions to security event log and you can form your own SDDL based on these examples.
Grant security log access to anyone logging into the computer:
Anyone who is logging into the computer either through RDP or via console is treated as a “Interactive User”. So granting permission to interactive user will give them required access to security event log. In this example, I am giving read-only access to all the users who is logging in interactive to the server. For that I just need to append the below SDDL string to aforementioned CustomID registry value. Make sure to append it without quotes.
“(A;;0x1;;;IU)” – append this without quotes
If you want to give them full access, then use the below SDDL.
Grant security log access to a user or group:
For granting security log access to a user or group, you need to have their SID handy so that you can form the SDDL to grant them access. You can refer to https://techibee.com/sysadmins/fetch-the-sid-of-a-user-account-using-powershell/137 if you want to know how to get SID of a user using powershell. Once you have the SID handy, you can form the SDDL string to append to the CustomID registry value. In this example, I am using the SID of my domain user “S-1-5-21-1377399363-320120969-1166362429-510”. To grant this user read-only access, I need to append below SDDL string to the CustomID registry value.
Similarly you can grant permissions to security group as well by replacing the group SID in the above example.
This completes the procedure for granting permissions to read security log entries for non-admin users.
A few useful links:
Default ACLs on Windows event logs — http://blogs.msdn.com/b/ericfitz/archive/2006/03/01/541462.aspx
How to set security event log security locally or using group policies –
Some more deep dive into permissions — http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administrators-permission-to-read-event-logs-windows-2003-and-windows-2008.aspx
Well known security identifiers in Windows –
Hope this helps.. Happy learning.
Even being in the Event Log Readers group, you will still need an elevated prompt to read the security log.