Re: Reading Security Event Logs with Service Account

---

• From: "Martin X." <martin@xxx>
• Date: Fri, 16 Nov 2007 12:31:10 -0500

---

Try this: Go to Start > Run > secpol.msc > enter. The Local Security
Settings MMC will open. Go to Local Policies > User Rights Assignment > in
the right pane will be Manage auditing and security log. If you add the
account you created to that, it should be able to access the logs through
any means, interactively or via scripting with WMI. If that works ok with
your app, then set that in the GPO for the OU where the servers are. I would
suggest creating a domain-level group and then giving that group the rights.
Add the user account to that group afterwards.

--
Regards,

Martin X.
Microsoft Certified Systems Administrator: Messaging
Philadelphia, Pennsylvania, USA

"Randy B" <Randy B@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BF1AF5CF-5C39-4FC8-A3A4-5326F71751B9@xxxxxxxxxxxxxxxx
I have a log aggregation application that uses WMI to monitor security event
logs on Windows servers. The documentation says it requires a domain admin
account or local administrator account for access to the security logs, but
I
would like to use the concept of "least privelege" and use a service account
instead with only the minimum rights and priveleges needed. What would I
need
to grant to this service account on Windows Server 2003 SP1 and SP2 to allow
the application to query the security event logs using WMI for all my
servers
(domain controllers, member servers, and workgroup servers)?

Thanks!


.

---

• Prev by Date: Folder permissions help
• Next by Date: Re: Folder permissions help
• Previous by thread: Folder permissions help
• Next by thread: Re: Reading Security Event Logs with Service Account
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Reading Security Event Logs with Service Account ... account in the Domain Users group. ... the right pane will be Manage auditing and security log. ... then set that in the GPO for the OU where the servers are. ... I have a log aggregation application that uses WMI to monitor security ... (microsoft.public.windows.server.security) Re: Administrator Account Locking Out ... the Administrator account, or possibly our RADIUS server might be using it ... 2003 Servers and Windows 2000 servers. ... I have looked in both the event logs, turned on netlogon logging, etc. ... (microsoft.public.windows.server.active_directory) Re: Reading Security Event Logs with Service Account ... Have you tried adding the service account to one of the built-in groups, ... Thanks, Martin. ... Grant Manage auditing and security log ... then set that in the GPO for the OU where the servers are. ... (microsoft.public.windows.server.security) Re: 2 users getting locked out repeatedly ... >Most likely the users are logged into other workstations ... >download from MS that can be used to diagnose account ... >> servers including the PDC are at SP4, ... The event logs seem ... (microsoft.public.win2000.active_directory) Re: Incoming mail for recipients not in my domain ... Looking through the logs I can't see any ... and there should be a user field that you can see the account used. ... If you have to do that, you will need to check your servers ... >> problem because all of the Exchange services run under the Local System ... (microsoft.public.exchange2000.admin)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.windows.server.security  > 2007-11