Event Log Permissions

Sometimes it is necessary to permit certain groups of people access to event logs on domain controllers or other servers in the domain. The most common request is read-only access to various event logs, so delegated administrators can monitor the logs. A good example is giving DNSAdmins read-only access to the DNS event logs.

Adding permissions to Event logs is not a straight forward process and I find it easiest to do it with a GPO. However, to do it via a GPO you need to make some changes to the default security options definition files so that within the GPMC you can make the required changes.

Attached is an updated sceregvl.inf file which you will need to copy to the system32 directory and replace the existing file. You will then need to re-register it by typing "regsvr32 scecli.dll".

After you do all of that, you will now see various event log security descriptor options under the "Security Options" portion of the GPO. Unfortunatley you have to input the new ACL in SDDL format, which is quite convoluted.

The default ACLs for each event log is below, which you will need to start with as your base then add whatever additional ACLs you want.

Application Log:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)

Directory Services:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)

Revolutionize Your Business With Generative AI

From product design and software development to virtual agents, content creation, and reporting, GenAI is transforming business. Our AI experts help you unlock GenAI’s full potential and drive growth.

Let’s Get Started

DNS Service:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)

File Replication Service:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)

Security Event Log:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)

System Event Log:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x1;;;S-1-5-3)(A;;0x2;;;NS)

To add addtional groups or users to the ACL list, you first need to determine the SID of the user or group. It should start with an "S" and be quite long, such as S-1-5-21-702074188-2833732907-241959117-48998. You can use LDP or other methods to find the SID.

The SDDL syntax for adding read-only access to any of the logs above is:

(A;;0x1;;;<Insert SID here>), for example: (A;;0x1;;;S-1-5-21-702074188-2833732907-241959117-48998)

For the security event log the final ACL would look like:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;S-1-5-21-702074188-2833732907-241959117-48998)

Just cut and paste this into the GPMC for the right event log, and viola! Instant read-only access is granted to a specific user or group.