I’m new and seek for some expertise advises here. Is there a way to
grant local user to be able to view only Event Viewer from Group
Policy or Registry?
I’m referring to Windows 2000 Event Viewer which was restricted
local user been able to make any changes to the company’s policy
settings. Is there any other way to change it from registry or group
policy?
By default a regular user can already view the application and system logs
only unless they are a member of the guests group and the guests group has
been prevented from accessing the application and system logs in security
policy. If you could be more specific in what you want to accomplish I may
be able to help. --- Steve
Our company have own own Company Policy that restricted normal user
been able to view all the administrative tools. I’m the desktop
support for the company and actually there was an ex-staff (desktop
support too) was able to assist user to let them view the Event Viewer
with no other access. Heard that could be done by using registry
changing from Win2000. Any idea?
That could be done with Group Policy. If at the domain or Organizational
Unit Level for a Group Policy you look under computer configuration/Windows
settings/security settings/event log for the three settings for prevent
local guests from accessing log. This will also be found in Domain Security
Policy which is a subset of the default domain Group Policy. If those
settings are enabled and the user is a member of the local guests group on
his computer then he will not be able to access the logs. To allow that user
to access the logs you could remove him from the local guests group. This
all assumes that is the setting preventing their access. You can use the
command net user username to find out the group membership of a user on
their domain computer and run the support tool gpresult to find the Group
Policies that are applying to the user and computer. Gpresult /v will show
much more detail and you may want to dump that report to a text file as in
gpresult /v>c:\report1.xtx. This particular setting is "computer"
configuration and applies to all users that logon to that computer.
Another Group Policy setting that could be restricting access is the user is
denied to Management Consoles such as Event Viewer. These settings are found
under "user" configuration/administrative templates/Windows
components/Microsoft management console where you can see there are settings
to prevent user access. If settings here are restricting the user then you
would need to exempt him from the Group Policy by creating a new GP for him
and allowing the Management Console Settings that you want. That GPO would
need to be linked to an Organizational Unit that contains the user account
and is a child OU of and container/OU that currently is applying the Group
Policy to the user so that it will override the restriction of that
particular Management Console snapin.
Group Policy is an easy and preferred way to manage registry settings as
most GP settings do not tattoo the registry unlike manual registry changes
that can be a nightmare to track down as often manual registry changes are
done on the fly and not documented. --- Steve
