It should, but it gives a bit more access than is needed ( it also
allows you to clear the logs)

 

Checking in Miansi Windows 2008 R2 book and Moskowitz GPO book to see if
I can find anymore nuggets of knowledge on this. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505

 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Thursday, October 28, 2010 9:09 AM
To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain
Controller Eventlogs

 

I would have thought that user right should do it, to be fair

On 28 October 2010 13:55, Ziots, Edward <ezi...@lifespan.org> wrote:

Yep, DC access is strictly limited, especially with the new Win2k8R2
Domain. 

 

If Manage Audit and Security Logs user right along with EventLog Readers
group access doesn't cut it for them, then ohh well. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> 

Cell:401-639-3505

 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Thursday, October 28, 2010 8:51 AM


To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain
Controller Eventlogs

 

I take it giving the service account admin access to the DCs is a big
no-no as well :-) or, I suppose, rather defeats the object

On 28 October 2010 13:47, Ziots, Edward <ezi...@lifespan.org> wrote:

Yeah I saw that article, problem is one screw up and you could waste the
eventlogs on all the DC's and the DC's are in production, I rather not
have to play around trying to calculate the codes for SDDL and stuff.
With as many DC's as I have Id have to update the .INF file, register
it, on all the DC's and Id have to do this in a test environment first
to verify it works before doing change management in production. 

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> 

Cell:401-639-3505

 

From: James Rankin [mailto:kz2...@googlemail.com] 
Sent: Thursday, October 28, 2010 8:27 AM


To: NT System Admin Issues
Subject: Re: Question on Granting service account read access to Domain
Controller Eventlogs

 

Maybe this? http://support.microsoft.com/kb/323076 

On 27 October 2010 16:31, Ziots, Edward <ezi...@lifespan.org> wrote:

Running a Windows 2008 R2 DFL/FFL domain, security team needs a service
account to have read only access to the Security Eventlog accordingly.
Is there a way via the Default Domain Controllers Policy to Grant this,
or maybe a users right in Windows 2008 R2 accordingly?

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org <mailto:email%3aezi...@lifespan.org> 

Cell:401-639-3505

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that could
provoke such a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that could
provoke such a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into the machine wrong figures, will the right answers come out?' I am
not able rightly to apprehend the kind of confusion of ideas that could
provoke such a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Reply via email to