Event Viewer privileges (not-Security log)

[jaapengel79]

Recently we migrated some servers from Windows 2000 to Windows 2003 Standard Edition.

In W2000, our first-line Helpdesk users were members of a global group, aptly named 'User Admin', and this gg was member of "Power Users" and "Backup Operators" on all Windows 2000 member servers.

In W2003, we chose to make User Admin member of Power Users and Backup Operators again.

Now, the thing is that on the new Windows 2003, our Helpdesk users cannot remotely access Event Viewer logs such as System, Application, and Security. Now, Security is probably the least of our problems since this can be fixed by a policy, but the other two are quite often used by them.

I'm wondering where the difference with Windows 2000 lies. On all Windows 2000 systems, being a member of Power Users and/or Backup Operators seems sufficient to access Event Viewer logs remotely. On 2003, they cannot see anything anymore in these logs. Also starting TSM (our backup software) generates an "Access Denied" error which seems related to this problem, but first things first.

Ofcourse I've been browsing the net about the difference in privilege requirements on 2000 and 2003 but cannot seem to find anything outside the 'Security Log' requirement (which means being member of the local Admin group to view Security logs).

Anyone giving away hints on this one?

 

[jaapengel79]

Ok, I found it already.

(A;; 0x1;;;PU)

Adding this to the CustomSD key located in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\ gives read permissions to Power Users to which our Helpdesk belongs. Also, for the other logs it works the same.

http://support.microsoft.com/default.aspx?scid=kb;en-us;323076