Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008

Apologies for not blogging for sometime. I have been away on vacation, out of the country on training plus work commitments so add that up and it equals and enforced hiatus. Plus of course do not forget the Volcano :).

Well I am back now and have an interesting information around Event Log access and the way thing have changed in Windows 2008 . This comes out of some work I have been doing with my customer.

So if you want to give Non-Administrator users access remotely to Event logs if the Servers or Domain Controllers they are accessing are Windows 2003 follow the steps below.

I have extrapolated the information contained in the following two KBarticles. It is not easy as it is using service discretionary access control lists. plus  .

This works for both Domain Controllers and Member servers. Therefore when it talks in the body of the steps around Default Domain Group Policies , this can be supplanted with the relevant Group Policy object.

You will also need to download a Name to Sid type utility. Details of this here.

There are others around externally and internally to Microsoft. The internal one would only be available to you if you raise a Premier Support Call as part of your premier contract if you have one.

Plus of course you have the Windows Sysinternals 

As per the article follow the below steps;

Use Group Policy to Set Your Application and System Log Security for a Domain, Site, or Organizational Unit in Active Directory

Important: To view the group policy settings that are described in this article in  the Group Policy editor, first complete the following steps, and then continue to the "Use Group Policy to Set Your Application and System Log Security" section:

1. Use a text editor such as Notepad to open the Sceregvl.inf in the %Windir%\Inf


2. Add the following lines to the [Register Registry Values] section:

MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD,1,%AppCustomSD%,2 MACHINE\System\CurrentControlSet\Services\Eventlog\Security\CustomSD,1,%SecCustomSD%,2


MACHINE\System\CurrentControlSet\Services\Eventlog\Directory Service\CustomSD,1,%DSCustomSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\DNS Server\CustomSD,1,%DNSCustomSD%,2

MACHINE\System\CurrentControlSet\Services\Eventlog\File Replication Service\CustomSD,1,%FRSCustomSD%,2

3. Add the following lines to the [Strings] section:

AppCustomSD="Eventlog:Security descriptor for Application event log"

SecCustomSD="Eventlog:Security descriptor for Security event log"

SysCustomSD="Eventlog:Security descriptor for System event log"

DSCustomSD="Eventlog:Security descriptor for Directory Service event log"

DNSCustomSD="Eventlog:Security descriptor for DNS Server event log"

FRSCustomSD="Eventlog: Security descriptor for File Replication Service event log"

4. Save the changes you made to the Sceregvl.inf file, and then run the regsvr32  scecli.dll command.

5. Start Gpedit.msc, and then double-click the following branches to expand them:

Computer Configuration Windows Settings Security Settings Local Policies Security Options

6. View the right panel to find the new "Eventlog" settings.

7. Open the relevant Policy for the member server. Open Computer Configuration -> Windows Settings  Security Settings  Local Policies  Security Options Look for Event Log settings

3) Use a  name2sid utilitily to find the SID of the group for which you want to give access to

the event viewer.

4) Open “Eventlog: Security descriptor for Application event log”. Click on Define

this policy setting.

Copy the following registry key:



Service\CustomSD etc…

Copy the above value for each of the event logs (like application, system, security

etc…) & append respective event logs with (A;; 0x3;;;SID of the Group) in the above


Here 0x3 indicates read & write privileges. The write privileges are required only

if the group needs to write events into the event logs (like an application service

using this user account)

Replace 0x3 with 0x1 – if this group needs only READ access to the event viewer

5) Run GPupdate

As an FYI see below for the explanation of the codes;

Replace 0x3 with 0x1 – If this group needs only READ access to the event viewer
5) Run GPupdate on the DC
Entry Meaning
O:BA Object owner is Built-in Admin (BA).
G:SY Primary group is System (SY).
D: This is a DACL, rather than an audit entry or SACL.
(D;;0xf0007;;;AN) Deny Anonymous (AN) all access.
(D;;0xf0007;;;BG) Deny Built-in Guests (BG) all access.
(A;;0xf0005;;;SY) Allow System Read and Clear, including DELETE, READ_CONTROL,
WRITE_DAC, and WRITE_OWNER (indicated by the 0xf0000).
(A;;0x7;;;BA) Allow Built-in Admin READ, WRITE and CLEAR.
(A;;0x7;;;SO) Allow Server Operators READ, WRITE and CLEAR.
(A;;0x3;;;IU) Allow Interactive Users READ and WRITE.
(A;;0x3;;;SU) Allow Service accounts READ and WRITE.
(A;;0x3;;;S-1-5-3) Allow Batch accounts (S-1-5-3) READ and WRITE.
The specific event log access mask bits are:
0x0001 ELF_LOGFILE_READ Permission to read log files.
0x0002 ELF_LOGFILE_WRITE Permission to write log files.

However for Windows 2008 Life gets much easier

Windows 2008 is much easier as long as you are giving the users and groups in question read access to all event logs. If that is the case just add them to the Built in Event Log Readers group.

However if you do not want to give access to ALL event logs you still have to resort to using SDDL

The location on the SDDL has changed in Windows 2008 and is no longer set it via the CustomSD in the registry. You now have to use the wevtutil utility.

For Example

If you need to define access to just the System event log on our Windows 2008 Server.

1. open the command prompt, and run the following command to dump out the SDDL for the System log out to a txt file.

wevtutil gl system > C:\temp\out.txt

2. Open the text file and copy out the channelAccess: entry

channelAccess: O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;AU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) )

3.  Copy the Interactive User (IU) rights and add your user or group  to them.

O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;AU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-32-573) (A;;0x1;;; S-1-5-3-3127463467463))

Last we need to apply the new SDDL. Just replace the O:BAG:XXXX with your SDDL String you created in the previous step.

wevtutil sl System /ca:O:BAG:XXXX

In addition you can remove access for the Event Log Readers group from event log in question by removing the (A;;0x1;;;S-1-5-32-573) entry from the respective log SDDL String.

Comments (67)

  1. Anshuman Misra says:

    Hi. I have a requirement to set permissions on a custom event log ( one that is located under ‘Application and Service logs’ ), for a domain based service account to have full control while all other users to have read-only control, on a member server
    in my active directory domain. The domain controllers as well as the member server are running Windows 2008 R2. I have been able to modify the ‘sceregvl.inf’ to populate the security descriptors for the custom log. I need help is understanding and constructing
    the SD string that needs to be fed in as the value in the GPO entry for the newly created event log setting.

  2. Anonymous says:

    Hey guys … i am  trying to do tha same however it is not working for .. i have group in a parent domain and i am trying to give permission on the domain controllers in the child domain not sure if it makes a difference …please suggest… However i can see the SID added in CustomSD registry entry…

  3. Anshuman Misra says:

    Also, when i navigate to ‘HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlogApplication’ i don’t see a ‘CustomSD’ key/value under it for me to copy the value for reference.

  4. Anonymous says:

    No Problem glad I could help

  5. Anonymous says:

    Does this look right?

    HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlogApplicationCustomSD (A;;0x3;;;S-1-5-21-********)??  Is there a space between the word CustomSD and (???

    I have added this to the SD for App Log.  When I check the event logs after a gpupdate and/or reboot, I am receiving access denied?

  6. You can grant non-administrators rights to remotely view all or any combination of event logs (Application, Security, etc…) with System Frontier starting with v1.3. It will be out this week. It works with every version of Windows starting with Windows 2003.

  7. Anonymous says:

    Hi Jane – Great Article, this is one of our pain points in production, there is a genuine need for developers to able to look at the Application Logs for their App related events. Although this Article clarifies things, the steps required are still complex and error prone.  Microsoft has a GPO setting that allows access to Security Logs but not Applciation Logs, I hope Microsoft comes up with something similar for App Logs.  Do you know of any such plans?

  8. JL, Nice and helpful article. Thank you for the post 🙂

  9. Anonymous says:


  10. Ritesh says:


    I executed this task successfully. Thanks a lot.

    Could you please walk me through the process of applying this setting for group containing a no. of users, instead of a particular user.

  11. Mark van Lierop says:

    Is there any way to set SDDL permissions for the Directory Service or DNS Server logs on Windows Server 2008 R2 Domain Controllers in Group Policy? As far as I can see it can't be set in de default eventlog.admx…

  12. Archit Bahuguna says:

    Nice Article and very helpful .

    This is a valid request which we get from site admins inorder to read the security logs to monitor logon events etc.

    Thanks again.

  13. vincent says:

    I get "access denied" when trying to save the changes. Everything is set so that I can make changes, but it doesn't let me.

  14. houston hopkins says:

    I also cannot save the Sceregvl.inf on my 2008 R2 DC.

    And I wish someone would explain how to do this for the Security Event logs.  The SDDL format is not hex.

  15. Shawn Nelson says:

    Help.. I am stuck! I am able to see the event log descriptor settings via local policy, but am missing a step to get them to show up in a domain group policy. I have a few dozen windows 2003 servers I need to apply this change to. Do I need to import the GPO setting somehow?


  16. Tony Thomas says:

    Help.. I read the article and i understand all except how to add the string to the dword for example:

    Open the relevant Policy for the member server. Open Computer Configuration -> Windows Settings  Security Settings  Local Policies  Security Options Look for Event Log settings

    Open “Eventlog: Security descriptor for Application event log”. Click on Define

    this policy setting.

    Copy the following registry key:

    HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlogApplicationCustomSD so how do you append respective event logs with (A;; 0x3;;;SID of the Group) please provide an example of what the string should look like.

    Thank you

  17. Grant Thompson says:

    What he is saying is to copy the value in the registry key, append the code – (A;; 0x3;;;SID of the Group) – to what you get (e.g. in Notepad) and then paste it into your policy.

    Let me know if you need help, I'm happy to do a quick call if needed.


    MG Technology Group

  18. doesn't work for security says:

    this doesn't seem to work for security log if the user is running at batch or as a service. i can take the same permissionset that works for reading SYSTEM and set it for SECURITY and yet it still will get an access denied error unless i add the user to localadmin.

  19. David says:

    You state that the built-in "Event Log Reader" group allows read access to ALL event logs, however  it doesn't allow a regular use to remotely access system/application event logs on other computers.

  20. Report event not working from win7 says:

    Hi.. i am trying log events from windows 7 to windows 2003/2008. It was working earlier but from few days, i could not see any log messages from windows 7 machines. when i checked the code, it says Reportevent (vb6) is failing.

    Can you tell me what are the permissions required to updated Windows 2003/2008 event log from Windows 7?

  21. vivek says:

    Is it required to restart server to take changes in effect ?

  22. Aurimas N. says:

    Can we see some working examples? I can't figure out the part:

    4) Open “Eventlog: Security descriptor for Application event log”. Click on Define

    this policy setting.

    Copy the following registry key:



    ServiceCustomSD etc…

    Copy the above value for each of the event logs (like application, system, security

    etc…) & append respective event logs with (A;; 0x3;;;SID of the Group) in the above


  23. rosenthal says:

    I really like it very much. Keep this quality of your work on articles going on and please do not let the quality of your articles fall to bad. Cheers.
    the venus factor review

  24. Konkon says:

    This is such a great resource that you are providing and you give it away for free. I love seeing websites that understand the value of providing a quality resource.

  25. Miron says:

    Found this link helpful to better understand how to access same EventLog access permissions using code:

    And with just a few lines it seems one can manage access to custom event log using some tool.

    So, the class provides support to query for existing CustomSD value uinder accurately selected registry key:

    if (!EventLogSecurity.EventLogHasCustomSD(logName))
    // this creates DACL enforcing Built In Administrator account "administrative" access to the event log.

    Than a few lines to query current user Sid and security descriptor

    CommonSecurityDescriptor csd = EventLogSecurity.GetSecDescForCurrentCustomSD(logName);

    // this queries current user logon Sid.
    SecurityIdentifier CurrentUserSid = System.Security.Principal.WindowsIdentity.GetCurrent().User;

    Now, a few lines to query existing event log Custom Security Descriptor:

    foreach (CommonAce ace in csd.DiscretionaryAcl)
    if (ace.SecurityIdentifier.Equals(CurrentUserSid))
    grantIssued = true;

    And if grant wasn’t issued one more line to add required grant to Common Security Descriptor and than assign it to Custom Security Descriptor:

    csd.DiscretionaryAcl.AddAccess(AccessControlType.Allow, CurrentUserSid, mask, InheritanceFlags.None, PropagationFlags.None);
    EventLogSecurity.WriteEventLogCustomSD(logName, csd);

    Thanks for a great article. Until I found Jane’s article it was truly a roadblock :). Hope what added helps.


  26. No GPO Option with 2008+ then? says:

    Seems like Microsoft have made this harder with 2008+ as you can no longer set access to individual event logs with GPO.

  27. John says:

    Renko Pip Scalper Review: There are numerous binary options trading apps available today, numbering in the scope of hundreds. The Renko Pip Scalper, an as of late created software, is likewise an interesting epansion. My Renko Pip Scalper Review reveals
    what you really need to know about the Renko Pip Scalper Softwareoffered at their site.

    Renko Pip Scalper Software Details: Renko Pip Scalper is binary trading software planned by the Renko Pip Scalper team to adequately help traders in foreseeing business drifts crosswise over different time frames.

    The center territory of this present item’s advancement was to manage the cost of traders comfort and the chance to do different errands while the software does the trading. Before dispatch, broad tests and wagering framed an extraordinary piece of the starting
    periods of creating the item, of which the result is the ingenious binary trading options software now in the general population area.

    From demonstrating options to acquire cash online to giving broad examination of economic situations, this complete software gives you a chance to win and expand your benefits edges in your general vicinity of premium or alternative. Renko Pip Scalper meets
    expectations both for the fledglings and for expert merchants to help with understanding a decent profit for their venture. With Renko Pip Scalper, you can expect an exposure of different procedures that will empower you procure a decent benefit from any measure
    of speculation.

  28. kai says:

    Adding an Active Directory Group to the Built-In Group "Event Log Reader" only works if the group type is set to universal.

  29. Sizalu says:

    Kumpulan informasi mengenai jadwal sepak bola dan Motogp
    Jadwal Motogp 2015
    Jadwal liga inggris
    Jadwal liga champion
    Jadwal liga Sapnyol
    Jadwal Isl 2015
    Jual batu akik

  30. Keong says:

    We are setting up BizTalk 2013 in Windows Server 2012 and one of the requirements is to allow the service account to create sources and write in event logs (Application) of the BizTalk servers. We have found what it seems to be a simple solution for this
    without giving service accounts local admin rights.

    Give Full control for the following registry keys to the service accounts or groups to allow creating of event sources and write to event logs:

    Note: when changing permissions for EventLog key, the child keys will inherit the permissions by default except Security key which must be done manually.

    Initial tests using a .net test app seems to work as expected. New event sources are being created in the event logs and writing to the event logs after that works perfectly.

    We will be testing this from actual BizTalk applications and verifying the results. Will update this post with the test results later.

  31. INSTAGRAM says:

    Thanks for such a share, I really enjoyed & liked everything.
    Well I would also like to share something with you guys


  32. Sanju Roy says:

    If you are looking Best Packers and Movers so Visit at :

  33. Sanju Roy says:

    If you are looking Best Packers and Movers so Just Visit At:

  34. Babua Rao says:

    If you are looking Best Packers and Movers so Visit at :

  35. Babua Rao says:

    If you are looking Best Packers and Movers so Just Visit At:

  36. Packers in Bangalore says:

    Best and safe service follow Movers and Packers in Bangalore more information link">Packers and movers in bangalore">Movers and Packers in mumbai">Movers and Packers in pune">Movers and Packers in nodia">Movers and Packers in Hyderabad">Movers and Packers in gurgaon">Movers and Packers in delhi">Movers and Packers in chennai">Movers and Packers in bangalore">Movers and Packers in mumbai">Movers and Packers in pune">Movers and Packers in nodia">Movers and Packers in Hyderabad">Movers and Packers in gurgaon">Movers and Packers in delhi">Movers and Packers in chennai">Movers and Packers in bangalore">Movers and Packers in kolkata

  37. Al says:

    I recently came across your blog and have been reading along. I thought I would leave my first comment. I don’t know what to say except that I have enjoyed reading. Nice blog, I will keep visiting this blog very often.

  38. says:

    Great article!!!.

    I have a strange request that my org wants to restrict all administrator to clear security log… I tried to alter SDDL for security logs as explained below. Settings are applying successfully but still administrator can clear the logs. I have tested the same
    for application and system logs and found it is working fine. Could anyone clarify is there any limit for this solution.

  39. Ron says:

    I feel delighted to read such a good post, I would like to thank the Author for this marvelous efforts. This post is good in regards of both knowledge as well as

    * –;u=506754;sa=summary

  40. Ron says:

    Preservation and promotion of health is achieved through a combination of physical, mental and social well-being, sometimes called "the triangle of health." Health is a positive concept focuses on the social and personal resources, as well as physical

  41. Packers and movers says:

    Household Relocation in Delhi information Visit site:-
    Packers and movers bangalore@
    Packers and Movers Noida@
    Packers and Movers delhi@
    Packers and Movers Gurgaon@
    Packers and Movers Bangalore@

  42. Imheretostay says:

    Thanks for the best post in the world for sure and th eother parts of the reckoning and the watch of youtube and the other channels for sure when the self balancing scooter and the best affordable speakers for sure and we could see the only ones for sure and we will know the under money clips for sure money clips for salewe could see the making for sure and this is a great site for me. Now the we can see the partial and the good ones of the meaning of affordable watches.

  43. Don says:

    I can see that you are an expert at your field! I am launching a website soon, and your information will be very useful for me…

  44. event logs comment says:

    Well the facts that we aer here for the permission an the logs of the windows and the reasoning of the affordable watches for sure and the >”> youtube

  45. Alishapatel says:

    This site is very help full service here-

  46. Don says:

    The website is looking bit flashy and it catches the visitors eyes. Design is pretty simple and a good user friendly interface.

  47. Anand Mishra says:

    I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well.

    ( Anand Mishra : )

  48. iam says:

    [URL=][/URL] Your company is not organized and streamlined unless a top-quality and cloud-based CRM system
    is designed. Your processes and operations will always have flaws and clutters unless the implemented system delivers impeccable solutions. That‘s the reason it becomes important to become careful while selecting your customer relationship management software.
    What must you look out for inside the system or platform to construct your company upon?