Give non Administrator user an Access to read the Event logs in Active Directory

I had a Firewall Appliance which requires to read AD logs by using a normal AD user, to fulfill this requirement i found a very good article i want to summarize it and share it with you:

  • First thing we want to Modify the Local Security Policy on the Domain Controller, but this step cant be done if you go directly to the Local Security Policy from the Administrative Tools, to do this you have to go to the Group Policy Management :

Note: you have to use Administrative Privilege ( Domain Admin or Local Administrator on the Server) 

image

go to Domain Controllers –> Default Domain Controller Policy

Right click —-> Edit

Under Computer Configuration—> Windows Settings —> Security Settings —-> Local Policy —> User Rights Assignment

Select and double click on Manage auditing and Security Log

 

image

image

Select Add User or Group —> Browse to add the user —> then OK —> OK

  • The Second Step is to open WMI Manager:

  Go to RUN on start Menu —> Type “wmimgmt.msc

Right click on WMI control —-> select Properties —> security Tap —-> Expand ROOT —->Select Security Folder —> then Security on the bottom of the Box

 

image

Press Add to add the user —-> on the permission check the allow box for Execute Methods —> then OK

image

 

Now this user has the access to read the security AD event log only.

If you have more than one Domain Controller, you have to do the same settings on all of them.

you can test this by login using the same user name, open the server manager —> connect to different computer ( the DC ) —> open the event logs , you will see you have only access to the security logs.

                          Resources:

                        http://www.manageengine.com/products/active-directory-audit/help/admin/domain-settings/authentication-for-collecting-audit-data.html#wmi

                        Advertisements

                        Leave a Reply

                        Fill in your details below or click an icon to log in:

                        WordPress.com Logo

                        You are commenting using your WordPress.com account. Log Out / Change )

                        Twitter picture

                        You are commenting using your Twitter account. Log Out / Change )

                        Facebook photo

                        You are commenting using your Facebook account. Log Out / Change )

                        Google+ photo

                        You are commenting using your Google+ account. Log Out / Change )

                        Connecting to %s

                        %d bloggers like this: