RE: [ActiveDir] event viewer access

Thu, 07 Apr 2005 10:21:21 -0700 

Thanks.
I took a look at the article and oddly enough, I don't have any of those 
settings in the local group policy on my win2k3 enterprise member server.

Also, I take it there is no group policy to block  read access to the app and 
system log on a win2k server?

Finally, does anyone know what the default acl is on the 
system,app,dns,directory services,etc logs in win2000? what user groups can 
read a remote event log in the local and remote domains?
thanks alot


[EMAIL PROTECTED] wrote:
> Hey Tom...
> 
> In W2k3, you can set the rights...
> 
> http://support.microsoft.com/default.aspx?scid=kb;en-us;323076
> 
> On 2000, and 2003 there is a policy setting in the local user rights
> assingments "manage auditing and security log"  Which can be set to a
> global group.  However, you have to be careful with this.  Some
> things have to apparently access the log and might not have the
> rights.  I"m going to guess SP's would, along with other weird
> problems you might experience.  We tried it on XP boxes here so that
> security was the only ones that could access it,  and found out we
> couldn't run system restore, and apply some patches without being in
> the group.  We ended up setting it back to the default on the clients.
> 
> John
> 
> 
> 
> 
> 
>              "Kern, Tom"
>              <[EMAIL PROTECTED]
>>                                                         To
>              Sent by:                  "ActiveDir (E-mail)"
>              [EMAIL PROTECTED]         <ActiveDir@mail.activedir.org>
>              ail.activedir.org                                       
> cc 
> 
>                                                                   
>              Subject 04/07/2005 11:20          [ActiveDir] event
>              viewer access AM
> 
> 
>              Please respond to
>              [EMAIL PROTECTED]
>                 tivedir.org
> 
> 
> 
> 
> 
> 
> In an AD forest, every domain admin can view the event logs(except
> security) on all servers/dc's in every domain in the forest.
> My question is, how can you prevent a domain admin(who is not an
> enterprise admin) from viewing the event logs on a server/dc not in
> his/her domain? thanks
> List info   : http://www.activedir.org/List.aspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/ 
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/ 

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to