|
Is it possible
at all to delegate the control of event logs at all
Yes its absolute
possible to do so, how ever you may have found out that regular users can’t read
the event logs on Windows Server 2003 machines as they where available to do at
Windows 2000 Server Family.
What we have to
understand to delegate this is SDDL (Security Descriptor Definition Language) ,
I will do an overview to explain how it works in this particular
case
Jimmy Andersson ,
Microsoft MVP Directory Services cover this in a presentation very well, have
look to understand SDDL.
http://www.nexus.se/events/files/AD_Security_-_final.ppt
In the registry of
each Windows Server 2003 box there is Security Descriptor for each type of event
log
| Application: |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Application\CustomSD |
| System: |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System\CustomSD |
| Security: |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Security\CustomSD |
| File Replication Service: |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\File
Replication Service\CustomSD |
| DNS Server: |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\DNS
Server\CustomSD |
| Directory Service: |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Directory
Service\CustomSD |
| This is the default security
descriptor string for the Application log. |
| O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3) |
It doesn’t say
anything if you don’t know SDDL,
|
For granting
access to the event log, there are three different settings that can be
combined: |
|
1 = Read
2 =
Write
4 = Clear |
| When specifying which user or
group can access the event log, you can use SID in the SDDL systax, or some
pre-defined group names. For example, the build-in Administrators group has an
entry in the "CustomSD" registry value like: |
|
(A;;0x7;;;BA)
A
- Allow
0x7 = 1+2+4 - granting Read, Write and Clear rights
BA = Build-in
Administrators (could also be the
SID) |
Now it begins to
be use full, you can for example create a group in Active Directory like Domain
Controllers Monitoring Group and specify (A;;0x1;;;<SID>) Then you have
delegate the control to the group to read the particular log.
| You don’t have to do anything
else than add the customized part (A;;0x1;;;<SID>) to the end of the
current Security Descriptor string of you want to keep default security, as
stated above the default Security Descriptor for the Application log
is: |
|
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)
You add what you
have customized to the end like:
O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)
(A;;0x1;;;<SID>) |
Well you may have
7000 Servers or a large numbers of servers and you may not want to do these at
all servers in the registry possible not delegate same control to all
servers.
(This is a sample where I have delegate my regular account to
read the directory service log only, Click for full
size)
Take use of the
Active Directory and Group Policies to push this out to the registry, there is
no built-in option to take use of to do this. But you can write customize
administrative template that allows you to do this.
323639 - HOW TO: Create Custom Administrative
Templates in Windows 2000
This step-by-step article
describes how to create custom Administrative Templates to use with Group Policy
settings in a Windows 2000-based domain. Group Policy templates provide an
interface that you can use to apply registry changes to the
target...
http://support.microsoft.com/default.aspx?scid=kb;en-us;323639 | 
Go to now