6 thoughts on “Domain Controller Security Logs – how to get at them *without* being a Domain Admin

  1. ChadH

    Make sure when you modify the permissions on HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security that you set the permission for ‘this key and all subkeys’. By default, if you add permissions it will only do it for the root key level. You have to go into ‘advanced’ on the permissions window.

    Reply
  2. Tom H

    After spending days on this issue, I finally found your post and it solved the issue for my particular need. ChadH’s suggestion also help solve the problem. Thank you for solution.

    Reply
  3. Chris

    I can’t find HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\CustomSD … am i missing something – Win2012 R2

    Reply
  4. Dave

    Thanks Jess, after a good 8 hours of nosing around the web and trying different approaches you totally solved this puzzle for me!

    Such a great post – cheers 🙂

    Dave

    Reply
  5. Chris

    Have you ever verified these steps for getting access to the System event log on a Domain Controller? Followed your steps for the Security log, but still get Access Denied for the System log.

    Reply
  6. Ken Bush

    Be sure remote management is enabled on the server. This is enabled by default on 2012R2 & Up

    Add the network Service Account to the Event Log readers group (A;;0x1;;;S-1-5-20)

    wevtutil gl security – This is gonna display the SIDs that have access. In some cases you need to add (A;;0x1;;;S-1-5-20) use the command below. This adds access to the network service account.

    wevtutil sl security /ca: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)

    Run wevtutil gl security again to be sure the network service account was added (cmd prompt rus as admin)

    Now add the member-server\workstation where you want the events to forward to
    Add-ADGroupMember –identity ‘Event Log Readers’ –member contososrv1$

    On the member server open event viewer and go to subscriptions, create a subscription and add your source server.

    This could take up to 15 mins for logs to begin pouring in.

    If you have any scheduled tasks tied to your logs, such as event 4740 (account lockout) move that task to the member server. Create a standard user in AD. Open local GPO on the member server add the user right assignment to logon as batch. Now use that account to run your task. This way you don’t need domain admin rights to read the logs from the server or trigger a powershell script when the alert is logged.

    Reply

Leave a Reply to Ken Bush Cancel reply