Working with Active Directory Permissions in Microsoft Exchange 2003, Delegate to Exchange Administrators

This guide helps Exchange architects in their understanding of how Exchange uses Active Directory in the context of permissions. Further, this document is a reference guide for administrators implementing a split permissions model.
Go to Now

Windows Firewall Group Policy Settings

This appendix describes the details of the following Windows Firewall Group Policy settings found in the Group Policy snap-in in the following locations:
Go to Now

Working with Active Directory Permissions in Microsoft Exchange, How to Delegate to Exchange Administrators
Microsoft release a guide that helps Exchange architects in their understanding of how Exchange uses Active Directory in the context of permissions.
Go to now
How can I delegate access to the event logs in Windows Server 2003

 

Is it possible at all to delegate the control of event logs at all

Yes its absolute possible to do so, how ever you may have found out that regular users canít read the event logs on Windows Server 2003 machines as they where available to do at Windows 2000 Server Family.

What we have to understand to delegate this is SDDL (Security Descriptor Definition Language) , I will do an overview to explain how it works in this particular case

Jimmy Andersson , Microsoft MVP Directory Services cover this in a presentation very well, have look to understand SDDL.
http://www.nexus.se/events/files/AD_Security_-_final.ppt

In the registry of each Windows Server 2003 box there is Security Descriptor for each type of event log

Application:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Application\CustomSD
System:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System\CustomSD
Security:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Security\CustomSD
File Replication Service:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\File Replication Service\CustomSD
DNS Server:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\DNS Server\CustomSD
Directory Service:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Directory Service\CustomSD

This is the default security descriptor string for the Application log.
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)

It doesnít say anything if you donít know SDDL,  

For granting access to the event log, there are three different settings that can be combined:

1 = Read
2 = Write
4 = Clear

 

When specifying which user or group can access the event log, you can use SID in the SDDL systax, or some pre-defined group names. For example, the build-in Administrators group has an entry in the "CustomSD" registry value like:

(A;;0x7;;;BA)
A - Allow
0x7 = 1+2+4 - granting Read, Write and Clear rights
BA = Build-in Administrators (could also be the SID)

Now it begins to be use full, you can for example create a group in Active Directory like Domain Controllers Monitoring Group and specify  (A;;0x1;;;<SID>) Then you have delegate the control to the group to read the particular log.

You donít have to do anything else than add the customized part (A;;0x1;;;<SID>) to the end of the current Security Descriptor string of you want to keep default security, as stated above the default Security Descriptor for the Application log is:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)

You add what you have customized to the end like:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3) (A;;0x1;;;<SID>)

Well you may have 7000 Servers or a large numbers of servers and you may not want to do these at all servers in the registry possible not delegate same control to all servers.

(This is a sample where I have delegate my regular account to read the directory service log only, Click for full size)

Take use of the Active Directory and Group Policies to push this out to the registry, there is no built-in option to take use of to do this. But you can write customize administrative template that allows you to do this.

323639 - HOW TO: Create Custom Administrative Templates in Windows 2000
This step-by-step article describes how to create custom Administrative Templates to use with Group Policy settings in a Windows 2000-based domain. Group Policy templates provide an interface that you can use to apply registry changes to the target...
http://support.microsoft.com/default.aspx?scid=kb;en-us;323639



Last Reviewed: 17.7.2004
Author: Christoffer Andersson
Please feel free to contact me at:
General Information: [christoffer at andersson dot chrisse dot se]
Send the articles to a friend