Is it possible to grant Read-Only Access to all Event Logs on Domain Controllers
Solution 1
There is a built in group for just this purpose. Event Log Readers. Add users to the group that you want to have read access to the logs. You can definitely do this via GPO. You can modify the Default Domain Controllers Policy (or create one at the same level) if you want it to only apply to your DCs. You want to update the Event Log Readers group with the users you want to be able to read event logs on your DCs.
Solution 2
It's definitely feasible, depending on if you're running Server 2003 SP1 and newer or not. If so you can modify some registry settings that allow specific access to Event viewer as well as apply local GPO settings for users.
Microsoft has a Document Here out there showing the steps to take to do exactly what you want to do.
![Andy Schneider](https://i.stack.imgur.com/T2XqC.jpg?s=256&g=1)
Andy Schneider
A Systems Engineer in the Greater Seattle Area. I am big fan of PowerShell. Follow me on Twitter, @andyschneider
Updated on September 18, 2022Comments
-
Andy Schneider almost 2 years
I would like to grant Read-Access to event logs on all my domain controllers, ideally at a domain level using GPO. I would like members of a group to be able to view the Application Log, the System Log, and several logs in "Application and Services logs" such as "Directory Service" and "File Replication Service." What would be the best strategy of going about this?
Please note that most of my Domain Controllers are 2008 R2
-
Split71 over 12 yearsLook at the bottom of this article for trying the wevtutil.exe utility for ACL modifications within 2008 R2 blogs.msdn.com/b/ericfitz/archive/2006/03/01/541462.aspx This may or may not work for you, and I can't be 100% because i haven't had to do it within 2008 R2.
-
Andy Schneider over 12 yearsI got this working by adding users to Event Log Readers which is in the in Builtin container in AD, not in Local users and groups. Not sure why it failed the first time.