Acess to Event Viewer on Windows 2003 Domain Controllers?

[Steven T]

Hi,

I have just upgraded the domain controllers from Windows 2000 to
Windows 2003.
I found that I can only access the security log(as I have been granted the
right for
"Managing Auditing and Security log") and got denied to application log,
system log,
dns log, etc. I know I can access the log if I am in the Domain Admin Group
but is there
any way to grant the minimum access right to a normal domain user so that
they can read
the logs? I am doing this as I would like to have the operators to keep an
eye on the log
but I don't want to give them too much priviledges. What right should I
grant? I searched on
the Web and Microsoft but most explanations only cover a normal 2003 server
involving
the local guests group(normal users are added to guest groups and by
default denied).
Since local groups does not exist in a Domain Controller what should I do?
Thank you very much

Best Regards,
Steven T

 

[Steven L Umbach]

If the guest restriction is in place check to see if your user account is in
the guests group as shown in Active Directory Users and Computers. ---
Steve

 

[Steven T]

I have checked that the user is not in the Domain Guests group.

 

[Steven L Umbach]

Hmm. By default any domain user should be able to read the system and
application logs on a domain controller. I just verified this on my install
of Windows 2003 Server SP1 logging onto the domain controller with a user
account that was only a member of the domain users group. If you have only
tried it via the network try logging onto the domain controller console to
see if that makes a difference.

Assuming you can not I would enable auditing of privilege use, object
access, and process tracking for failure in Domain Controller Security
Policy. Then enable auditing for the user account you are trying for the
system32 folder for full control and the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog for full
control. Then run gpupdate on the domain controller, logon as the user, try
again and when it fails look in the security log of the domain controller to
see if there are any failure events recorded that may provide a clue. Also
on the Windows 2003 domain controller run the mmc snapin for Resultant Set
of Policy planning for that domain user to see what GP settings are applying
to the user and computer for anything that could be causing lack of access
though offhand I can only think of the one that applied to the guest group
which is computer configuration. --- Steve