Viewing Event Logs
 




IT Certification FAQ
 
|
Home
 |
Microsoft
 |
CISCO
 |
CompTIA
 |
Exam/Study FAQ
 |
Employment FAQ
 | Links  | Forums  |
Book Reviews


FAQFAQ  SearchSearch  MemberlistMemberlist  UsergroupsUsergroups  RegisterRegister  ProfileProfile  Log in to check your private messagesPrivate messages  Log inLog in

Viewing Event Logs

 
Post new topic   Reply to topic    Forum Index -> microsoft.public.windows.server.active_directory
Author Message
Pigskin
Guest
PostPosted: Wed May 17, 2006 10:50 pm    Post subject: Viewing Event Logs Reply with quote
A while back the powers that be told us they wanted all ou admins to have the
ability to view DC event logs. In Windows 2000 it was pretty cut and dried,
but in Windows 2003 we could not figure out how to get it to work. We
contacted Microsoft and they referred us to the below article and assisted in
putting it in place. It worked for a month or so, but then we noticed DNS
stopped working on the DC's. The only way to get it to work again was to
back off the GPO and rebuild from scratch. We tested this in the lab with
the same results. Any idea why this happened?
How to set event log security locally or by using Group Policy in Windows
Server 2003
View products that this article applies to.
Article ID : 323076
Last Review : March 12, 2005
Revision : 7.0
This article was previously published under Q323076
On This Page
SUMMARY
Configure Event Log Security Locally
Modify Your Local Policy to Permit Customization of the Security of Your
Event Logs
Use the Computer's Local Group Policy to Set Your Application and System
Log Security
Use Group Policy to Set Your Application and System Log Security for a
Domain, Site, or Organizational Unit in Active Directory
Use Group Policy to Set Your Application and System Log Security
REFERENCES
APPLIES TO

SUMMARY
Windows Server 2003 permits administrators to customize security access
rights to their event logs. These settings can be configured locally or
through Group Policy. This article describes how to use both of these methods.

You can grant users one or more of the following access rights to event
logs: • Read
• Write
• Clear
Important You can configure the security log in the same way. However, you
can change only Read and Clear access permissions. Write access to the
security log is reserved only for the Windows Local Security Authority (LSA).
Back to the top

Configure Event Log Security Locally
Warning If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using Registry
Editor incorrectly. Use Registry Editor at your own risk.
The security of each log is configured locally through the values in the
following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog
For example the Application log Security Descriptor is configured through
the following registry value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD
And the System log Security Descriptor is configured through the following:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD
The Security Descriptor for each log is specified by using Security
Descriptor Definition Language (SDDL) syntax. For more information about SDDL
syntax, see the Platform SDK, or visit the Microsoft Web site mentioned in
the "References" section of this article.

To construct an SDDL string, note that there are three distinct rights that
pertain to event logs: Read, Write, and Clear. These rights correspond to the
following bits in the access rights field of the ACE string: • 1= Read
• 2 = Write
• 4 = Clear
The following is a sample SDDL that shows the default SDDL string for the
Application log. The access rights (in hexadecimal) are bold-faced for
illustration:
O:BAG:SYD:(D;; 0xf0007;;;AN)(D;; 0xf0007;;;BG)(A;; 0xf0007;;;SY)(A;;
0x5;;;BA)(A;; 0x7;;;SO)(A;; 0x3;;;IU)(A;; 0x2;;;BA)(A;; 0x2;;;LS)(A;;
0x2;;;NS)
For example, the first ACE denies Anonymous Users read, write, and clear
access to the log. The sixth ACE permits Interactive Users to read and write
to the log.


Back to the top

Modify Your Local Policy to Permit Customization of the Security of Your
Event Logs
1. Back up the %WinDir%\Inf\Sceregvl.inf file to a known location.
2. Open %WinDir%\Inf\Sceregvl.inf in Notepad.
3. Scroll to the middle of file, and then put the pointer immediately before
[Strings].
4. Insert the following lines:
MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD,1,%AppLogSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD,1,%SysLogSD%,2
5. Scroll to the end of the file, and then insert the following lines:
AppLogSD="Event log: Specify the security of the application log in Security
Descriptor Definition Language (SDDL) syntax"

SysLogSD="Event log: Specify the security of the System log in Security
Descriptor Definition Language (SDDL) syntax"
6. Save and then close the file.
7. Click Start, click Run, type regsvr32 scecli.dll in the Open box, and
then press ENTER.
8. In the DllRegisterServer in scecli.dll succeeded dialog box, click OK.

Back to the top

Use the Computer's Local Group Policy to Set Your Application and System Log
Security
1. Click Start, click Run, type gpedit.msc, and then click OK.
2. In the Group Policy editor, expand Windows Setting, expand Security
Settings, expand Local Policies, and then expand Security Options.
3. Double-click Event log: Application log SDDL, type the SDDL string that
you want for the log security, and then click OK.
4. Double-click Event log: System log SDDL, type the SDDL string that you
want for the log security, and then click OK.

Back to the top

Use Group Policy to Set Your Application and System Log Security for a
Domain, Site, or Organizational Unit in Active Directory
Important: To view the group policy settings that are described in this
article in the Group Policy editor, first complete the following steps, and
then continue to the "Use Group Policy to Set Your Application and System Log
Security" section: 1. Use a text editor such as Notepad to open the
Sceregvl.inf in the %Windir%\Inf folder.
2. Add the following lines to the [Register Registry Values] section:
MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD,1,%AppCustomSD%,2
MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD,1,%SecCustomSD%,2
MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD,1,%SysCustomSD%,2
MACHINE\System\CurrentControlSet\Services\Eventlog\Directory
Service\CustomSD,1,%DSCustomSD%,2
MACHINE\System\CurrentControlSet\Services\Eventlog\DNS
Server\CustomSD,1,%DNSCustomSD%,2
MACHINE\System\CurrentControlSet\Services\Eventlog\File Replication
Service\CustomSD,1,%FRSCustomSD%,2
3. Add the following lines to the [Strings] section:
AppCustomSD="Eventlog: Security descriptor for Application event log"
SecCustomSD="Eventlog: Security descriptor for Security event log"
SysCustomSD="Eventlog: Security descriptor for System event log"
DSCustomSD="Eventlog: Security descriptor for Directory Service event log"
DNSCustomSD="Eventlog: Security descriptor for DNS Server event log"
FRSCustomSD="Eventlog: Security descriptor for File Replication Service
event log"
4. Save the changes you made to the Sceregvl.inf file, and then run the
regsvr32 scecli.dll command.
5. Start Gpedit.msc, and then double-click the following branches to expand
them:
Computer Configuration
Windows Settings
Security Settings
Local Policies
Security Options
6. View the right panel to find the new "Eventlog" settings.

Use Group Policy to Set Your Application and System Log Security
1. In the Active Directory Sites and Services snap-in or the Active
Directory Users and Computers snap-in, right-click the object for which you
want to set the policy, and then click Properties.
2. Click the Group Policy tab.
3. If you must create a new policy, click New, and then define the policy's
name. Otherwise, go to step 5.
4. Select the policy that you want, and then click Edit.

The Local Group Policy MMC snap-in appears.
5. Expand Computer Configuration, expand Windows Settings, expand Security
Settings, expand Local Policies, and then click Security Options.
6. Double-click Event log: Application log SDDL, type the SDDL string that
you want for the log security, and then click OK.
7. Double-click Event log: System log SDDL, type the SDDL string that you
want for the log security, and then click OK.



Back to the top

REFERENCES
For more information about SDDL syntax and about how to construct an SDDL
string, visit the following Microsoft Web site:
Security Descriptor String Format
http://msdn.microsoft.com/library/en-us/security/security/security_descriptor_string_format.asp
(http://msdn.microsoft.com/library/en-us/security/security/security_descriptor_string_format.asp)
Back to the top


--------------------------------------------------------------------------------

APPLIES TO
• Microsoft Windows Server 2003, Enterprise Edition
• Microsoft Windows Server 2003, Standard Edition

Back to the top

Keywords: kbmgmtservices kbhowtomaster KB323076

Back to the top
Back to top
Display posts from previous:   
Post new topic   Reply to topic    Forum Index -> microsoft.public.windows.server.active_directory All times are GMT
Page 1 of 1

 

Copyright © 2002-2006 Web-S-Sense Pty. Ltd. All rights reserved.

Powered by phpBB
Advertising | Policies/Disclaimers | Contact us | Link to us

Featured Sites: Free Antivirus and Antispyware Info | Free PC Support | MCSE Directory