Delegating read only access to Domain Controller Event Logs


Something AD administrators used to dread was the inevitable request for access to Domain Controller event logs for monitoring purposes.

The lazy admin (Rob Field) approach was to give the service account Domain Admins. More dedicated staff would fiddle around with the SDDL security descriptors until they got it right.

Well that’s not needed anymore… Delegating read only permission to the event logs cannot be easier with 2008.

There is an Active Directory built-in group called ‘Event Log Readers’. All you need to do is drop the service account that needs this privilege into the Event Log Readers group and your monitoring software should be happy.

Note this gives access to all event logs. However if you do not want to give them access to all event logs you still have to resort to using SDDL. There is a good post here.

This also works with Member Servers. Just drop the service accounts into the Event Log Readers group on each member server.

Advertisements