Click here to get back home

Reading Security Event Logs with Service Account
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Reading Security Event Logs with Service Account Randy B 11-15-2007
Posted by Randy B on November 15, 2007, 7:36 pm
Please log in for more thread options
 I have a log aggregation application that uses WMI to monitor security event
logs on Windows servers. The documentation says it requires a domain admin
account or local administrator account for access to the security logs, but I
would like to use the concept of "least privelege" and use a service account
instead with only the minimum rights and priveleges needed. What would I need
to grant to this service account on Windows Server 2003 SP1 and SP2 to allow
the application to query the security event logs using WMI for all my servers
(domain controllers, member servers, and workgroup servers)?

Thanks!

Posted by Martin X. on November 16, 2007, 12:31 pm
Please log in for more thread options
 Try this: Go to Start > Run > secpol.msc > enter. The Local Security
Settings MMC will open. Go to Local Policies > User Rights Assignment > in
the right pane will be Manage auditing and security log. If you add the
account you created to that, it should be able to access the logs through
any means, interactively or via scripting with WMI. If that works ok with
your app, then set that in the GPO for the OU where the servers are. I would
suggest creating a domain-level group and then giving that group the rights.
Add the user account to that group afterwards.

--
Regards,

Martin X.
Microsoft Certified Systems Administrator: Messaging
Philadelphia, Pennsylvania, USA

I have a log aggregation application that uses WMI to monitor security event
logs on Windows servers. The documentation says it requires a domain admin
account or local administrator account for access to the security logs, but
I
would like to use the concept of "least privelege" and use a service account
instead with only the minimum rights and priveleges needed. What would I
need
to grant to this service account on Windows Server 2003 SP1 and SP2 to allow
the application to query the security event logs using WMI for all my
servers
(domain controllers, member servers, and workgroup servers)?

Thanks!



Posted by Randy B on November 16, 2007, 2:52 pm
Please log in for more thread options
Thanks, Martin. I have tried the following based upon several other posts
from different forums and none of them have worked. My user is a service
account in the Domain Users group.
- Grant Manage auditing and security log
- Grant Impersonate a client after authentication
- Allow log on locally
- Back up files and directories
- Add user to Event Log registry hive with full permission

Any other suggestions?

"Martin X." wrote:

> Try this: Go to Start > Run > secpol.msc > enter. The Local Security
> Settings MMC will open. Go to Local Policies > User Rights Assignment > in
> the right pane will be Manage auditing and security log. If you add the
> account you created to that, it should be able to access the logs through
> any means, interactively or via scripting with WMI. If that works ok with
> your app, then set that in the GPO for the OU where the servers are. I would
> suggest creating a domain-level group and then giving that group the rights.
> Add the user account to that group afterwards.
>
> --
> Regards,
>
> Martin X.
> Microsoft Certified Systems Administrator: Messaging
> Philadelphia, Pennsylvania, USA
>
> I have a log aggregation application that uses WMI to monitor security event
> logs on Windows servers. The documentation says it requires a domain admin
> account or local administrator account for access to the security logs, but
> I
> would like to use the concept of "least privelege" and use a service account
> instead with only the minimum rights and priveleges needed. What would I
> need
> to grant to this service account on Windows Server 2003 SP1 and SP2 to allow
> the application to query the security event logs using WMI for all my
> servers
> (domain controllers, member servers, and workgroup servers)?
>
> Thanks!
>
>
>

Posted by Martin X. on November 16, 2007, 4:00 pm
Please log in for more thread options
I never tried that myself, but it looked like it "should" work. Anyway,
after you did all that, were you able to log on with the service account and
view the security log? If you can't using that method, then it will probably
prevent you from doing it via WMI also.

Have you tried adding the service account to one of the built-in groups,
Backup Operators or Server Operators? That will give the account more
rights/permissions than it really needs, but it's still not an admin. Other
than that I'm not sure what else you could try.

--
Regards,

Martin X.
Microsoft Certified Systems Administrator: Messaging
Philadelphia, Pennsylvania, USA

Thanks, Martin. I have tried the following based upon several other posts
from different forums and none of them have worked. My user is a service
account in the Domain Users group.
- Grant Manage auditing and security log
- Grant Impersonate a client after authentication
- Allow log on locally
- Back up files and directories
- Add user to Event Log registry hive with full permission

Any other suggestions?

"Martin X." wrote:

> Try this: Go to Start > Run > secpol.msc > enter. The Local Security
> Settings MMC will open. Go to Local Policies > User Rights Assignment > in
> the right pane will be Manage auditing and security log. If you add the
> account you created to that, it should be able to access the logs through
> any means, interactively or via scripting with WMI. If that works ok with
> your app, then set that in the GPO for the OU where the servers are. I
> would
> suggest creating a domain-level group and then giving that group the
> rights.
> Add the user account to that group afterwards.
>
> --
> Regards,
>
> Martin X.
> Microsoft Certified Systems Administrator: Messaging
> Philadelphia, Pennsylvania, USA
>
> I have a log aggregation application that uses WMI to monitor security
> event
> logs on Windows servers. The documentation says it requires a domain admin
> account or local administrator account for access to the security logs,
> but
> I
> would like to use the concept of "least privelege" and use a service
> account
> instead with only the minimum rights and priveleges needed. What would I
> need
> to grant to this service account on Windows Server 2003 SP1 and SP2 to
> allow
> the application to query the security event logs using WMI for all my
> servers
> (domain controllers, member servers, and workgroup servers)?
>
> Thanks!
>
>
>



Posted by Anthony on November 17, 2007, 2:00 am
Please log in for more thread options
Randy,
There are a few interesting articles on this:
http://blogs.msdn.com/ericfitz/archive/2006/03/01/541462.aspx
http://support.microsoft.com/default.aspx?kbid=323076
Hope that helps,
Anthony, http://www.airdesk.co.uk

> Thanks, Martin. I have tried the following based upon several other posts
> from different forums and none of them have worked. My user is a service
> account in the Domain Users group.
> - Grant Manage auditing and security log
> - Grant Impersonate a client after authentication
> - Allow log on locally
> - Back up files and directories
> - Add user to Event Log registry hive with full permission
>
> Any other suggestions?
>
> "Martin X." wrote:
>
>> Try this: Go to Start > Run > secpol.msc > enter. The Local Security
>> Settings MMC will open. Go to Local Policies > User Rights Assignment >
>> in
>> the right pane will be Manage auditing and security log. If you add the
>> account you created to that, it should be able to access the logs through
>> any means, interactively or via scripting with WMI. If that works ok with
>> your app, then set that in the GPO for the OU where the servers are. I
>> would
>> suggest creating a domain-level group and then giving that group the
>> rights.
>> Add the user account to that group afterwards.
>>
>> --
>> Regards,
>>
>> Martin X.
>> Microsoft Certified Systems Administrator: Messaging
>> Philadelphia, Pennsylvania, USA
>>
>> I have a log aggregation application that uses WMI to monitor security
>> event
>> logs on Windows servers. The documentation says it requires a domain
>> admin
>> account or local administrator account for access to the security logs,
>> but
>> I
>> would like to use the concept of "least privelege" and use a service
>> account
>> instead with only the minimum rights and priveleges needed. What would I
>> need
>> to grant to this service account on Windows Server 2003 SP1 and SP2 to
>> allow
>> the application to query the security event logs using WMI for all my
>> servers
>> (domain controllers, member servers, and workgroup servers)?
>>
>> Thanks!
>>
>>
>>



Similar ThreadsPosted
Security Event Logs June 10, 2005, 8:36 am
security event logs in DC as well ? SOS May 3, 2006, 6:06 pm
Event ID 577 Filing Security Logs July 19, 2006, 10:45 am
Rights to event logs June 15, 2005, 2:03 pm
Re: Access Deined event logs October 26, 2005, 9:12 pm
Access Deined event logs October 25, 2005, 8:51 am
RE: Who/What is sft@loader.com in our IIS Logs? MSFTPSVC Event 10 November 19, 2007, 7:38 am
RE: Who/What is sft@loader.com in our IIS Logs? MSFTPSVC Event 10 February 21, 2008, 4:20 pm
Windows Server 2003 event logs May 2, 2006, 3:29 pm
Event ID 2003 Unable to open the performance logs and alerts confi May 30, 2006, 6:28 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap