Managing audit and security log right

  • Thread starter Thread starter JP
  • Start date Start date
J

JP

Windows 2000 PDC
Multiple servers - NT 4, 2000, 2003

When I try to assign the "Managing audit and security log" right to my
network technician, he can view the logs but the option to clear them is
grayed out.

I've tried a local policy on each server, no dice.
I've added him to the Domain Controller Security Policy, and it works fine
there. He can clear the logs on the PDC.

I added him to the Domain Security Policy in hopes it would roll out to the
other machines. (I've manually refreshed with secedit /refreshpolicy
machine_policy) I can see his SID show up under one of the 2000 Servers
Local Security Policy as being effective, but it will not allow his user id
to clear the logs. He can view, but the option to clear is grayed out. His
user id is also part of Domain Users, Account Operators, Server Operators,
and Backup Operators.

I'm fresh out of ideas at the moment. Any suggestions?
 
Just a follow up to this. I created a test user and added the right to
the user in the Default Domain Policy. I refreshed the policy on the 2000
Server. I can see it as active, and it STILL has the "Clear all events"
option
grayed out. There has to be something else needed to allow a user the
ability to clear the event logs without being part of the administrator
group.
It wasn't this difficult in NT4... What else do you need to do in 2000?
 
Ok, when I remove the "Manage auditing and security log" right from my test
user and push it to the 2000 server, I can no longer view the security log.
I can view the application log, but still the clear option is grayed out.
So, it appears the right is being implemented properly, but it's not
functioning as all the Microsoft documentation says it should be.
Everything I read says this right grants the user access to manage and audit
the security log...... As I've learn they mean that quite literally, just
the security log. The other event logs are still able to be viewed, albeit
not cleared. Does anyone know what I need to do to grant a user the right
to clear all event logs for archiving purposes?

Any suggestions would be appreciated.
 
Back
Top