I had a Firewall Appliance which requires to read AD logs by using a normal AD user, to fulfill this requirement i found a very good article i want to summarize it and share it with you:
- First thing we want to Modify the Local Security Policy on the Domain Controller, but this step cant be done if you go directly to the Local Security Policy from the Administrative Tools, to do this you have to go to the Group Policy Management :
Note: you have to use Administrative Privilege ( Domain Admin or Local Administrator on the Server)
go to Domain Controllers –> Default Domain Controller Policy
Right click —-> Edit
Under Computer Configuration—> Windows Settings —> Security Settings —-> Local Policy —> User Rights Assignment
Select and double click on Manage auditing and Security Log
Select Add User or Group —> Browse to add the user —> then OK —> OK
- The Second Step is to open WMI Manager:
Go to RUN on start Menu —> Type “wmimgmt.msc”
Right click on WMI control —-> select Properties —> security Tap —-> Expand ROOT —->Select Security Folder —> then Security on the bottom of the Box
Press Add to add the user —-> on the permission check the allow box for Execute Methods —> then OK
Now this user has the access to read the security AD event log only.
If you have more than one Domain Controller, you have to do the same settings on all of them.
you can test this by login using the same user name, open the server manager —> connect to different computer ( the DC ) —> open the event logs , you will see you have only access to the security logs.
http://www.manageengine.com/products/active-directory-audit/help/admin/domain-settings/authentication-for-collecting-audit-data.html#wmi