Share via

Granting Non-Admin User Read-Only Access to Windows Security Logs

Anonymous
2024-04-19T13:27:30+00:00

Hello,

I am struggling to grant a non-admin user read-only access to the Windows Security Logs. Here's what I've tried so far:

  1. I created a user called SecLogReader, placed them in the appropriate OU, and added them to the Event Log Readers group.
  2. I set up a GPO under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment and added the SecLogReader to "Manage auditing and security log". I applied this GPO both to the group containing the user and to the group containing the target VMs (later i also tried to Enforce this GPO, just for sure).
  3. After updating the GPO, as expected, the user still cannot read the security logs.
  4. In AD Users and Computers, I created a security group named Security Log Readers. I'm unsure about the best location for this group—should it be in the OU like 'users', or does it not really matter? I set the group scope to Global and type to Security, added the user to this group, and retried without success.
  5. Out of desperation, I manually granted the user read permissions for the entire folder at C:\Windows\System32\winevt, but this also failed to resolve the issue.

I don't think it's crucial but just in case: I access the logs using a custom console application, which works perfectly when I run it as an administrator. User has full right on folder where tool is stored.

This is on Windows Server 2016.

Any advice on what might be going wrong or what steps I should take next would be greatly appreciated!

Thank you!

Windows for business | Windows Server | Directory services | Active Directory

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-04-19T14:28:23+00:00

    Hello Ondrej Vendég,

    Thank you for posting in Microsoft Community forum.

    You can add the domain user or domain group to local Event Log Readers group on every domain machine.

    If you have more than one machine, you can add the domain user or domain group to local Event Log Readers group on every domain machine via GPO.

    1.Create one OU and put these machines to this OU.
    2.Create a GPO.
    3.Link this GPO to OU above.
    4.Edit the GPO. Navigate to Computer Configuration\Preferences\Control Panel Settings\Local users and groups\New Local Group

    Group Name: Event Log Readers (built-in)
    Members: add the user or group you want.

    Reference:

    active directory - Is it possible to grant Read-Only Access to all Event Logs on Domain Controllers - Server Fault

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    0 comments