Can a security administrator be granted exclusive access to a Windows 2000 security log?

Ask the Expert

Can a security administrator be granted exclusive access to a Windows 2000 security log?

Is there a way to provide the security manager with exclusive and complete access to the security log of Windows 2000, but grant "read-only" access rights to the support staff?

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

Unfortunately, in Windows 2000, access to the security logs is all or nothing. Any user, including an administrator, that has the right to view the security log also has the right to modify, filter or delete entries within it.

The setting allowing log access is found in the Group Policy Objects (GPO) of the domain controller. It can also be set in the local security policy of individual workstations and servers. By default, only administrators have rights to manage auditing and security logs.

A possible workaround, though a bit complicated and restrictive to your staff, would be to create two groups: one for your security manager as an administrator and another group for your support staff as users for the Windows 2000 boxes. All the events in the logs have corresponding objects that can be accessed programmatically by Active Server Pages (ASP) or .NET. The status of these objects can be picked out by an ASP or .NET script and displayed on a Web site set up on your corporate Intranet, but can only be accessible to your support staff.

The problem with this approach is that the Web site would have to be set up either by your company's developers, or by someone else with serious programming or scripting experience. Your support staff, who wouldn't have admin accounts, would also have limited access to systems they might need to oversee.

More information:

  • Learn how to make your security log-reviewing efforts a success every time.
  • This was first published in October 2006