This is my first posting so please be gentle.
We have an empty root then a single domain under the empty root. We have separate companies that have their own ou within this domain. One of the companies is requesting access to the Security log on the domain controllers so that they can see why users have been locked out of their account. We do have auditing enabled with the following settings: Audit account logon events - Success, Failure Audit account management - Success, Failure Audit directory service access - Failure Audit logon events - Success, Failure Audit object access - Failure Audit policy change - Success, Failure Audit privilege use - Failure Audit process tracking - No auditing Audit system events - Success, Failure 1. To me this would seem to be a security risk to allow read access to the security logs but I have to justify this. Is there information within the log file that could be extracted and used to do harm? Does anybody have any ammo related to this? 2. Is there even a way to allow real time read access to the security logs in a windows 2000 environment without giving them domain admin access? q323076 pertains to this on windows 2003 but doesn't mention windows 2000. 3. If we can give them real time read access to the security log file is there a way that we could filter out all entries except the messages that would pertain to user lock outs? List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
