|
Posted by Steven L Umbach on November 3, 2006, 3:13 pm
Please log in for more thread options
Try running a RSOP for the user in question on the DC to see if it reports
what you expect. The GPO you linked to the DC container would need to be
above the default GPO for that container to work.
Steve
> Hi all
>
> I've got a problem .... which I'm sure must have been solved many times
> before!
>
> I need to delegate rights to the security log on my domain controllers to
> the "Security
>
> Administrators", note they are not Domain Admins or any other form of IT
> admins (i.e. not
>
> server operators nor backup operators, etc.). However I want them to be
> able
> to manage the
>
> security event log remotely - i.e. not have to log on locally (or
> remotely)
> to the domain
>
> controller.
>
> So for testing, on my test lab I grant a non-priveliged user the "Manage
> auditing and
>
> security log" right through a GPO linked to the Domain Controllers OU.
> Then
> check the GPO is
>
> applied to the DC and go to a workstation as that user - un up event
> viewer,
> connect to the
>
> DC only to receive and 'Unable to complete the operation on "Security".
> Access is denied' message for the security log.
>
> I tried adding the user to Server Operators, no good. So then gave the
> user
> logon on rights
>
> and logged onto the DC and logged on locally, still no good.
>
> As an acid test, linked the same GPO to an OU with an XP Professional
> Workstation - then tried using this right remotely (i.e. from another
> server,
> open Event Viewer, connect to remote computer - select the workstation)
> and
> it worked! i.e. user was able to manage the security event log.
>
> So the right works for an XP Workstation but not a 2003 domain controller.
> Note I've not tested it against a 2003 member server (yet!)
>
> So the question is: How do I grant rights to allow a user (or group of
> users) the right to remotely manage the security event log?
>
> Thanks (in advance)
| 
XML Sitemap