Consider using some of the tools in AlTools.exe in stead of giving access to the sec.log. (http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63 -8629-B999ADDE0B9E&displaylang=en) This contains tools that assist you in managing accounts and in troubleshooting account lockouts.
Cheers! John Reijnders MCSE Windows Server 2003 -----Original Message----- From: Joe To: [EMAIL PROTECTED] Sent: 25-9-2003 3:36 Subject: RE: [ActiveDir] Security Logs The only way to give out the ability to non-admins to read the security log in Windows NT or Windows 2000 is to grant the "Manage auditing and security logs" security user right. You DO NOT want to do this as it gives the user the ability to both clear the security log as well as write security events (i.e. overflow the log). There is supposed to be some enhanced options in Windows 20003 but I have not had a chance to experiment with that functionality. The best you can do is get something that pulls events and collects them somewhere and allows you to say who can see what. Possibly look into ManageX or MOM or OpenView or even write your own service or script that constantly collects events on the machine and sends them back to a collector every 10 minutes or so. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, September 24, 2003 11:15 AM To: '[EMAIL PROTECTED]' This is my first posting so please be gentle. We have an empty root then a single domain under the empty root. We have separate companies that have their own ou within this domain. One of the companies is requesting access to the Security log on the domain controllers so that they can see why users have been locked out of their account. We do have auditing enabled with the following settings: Audit account logon events - Success, Failure Audit account management - Success, Failure Audit directory service access - Failure Audit logon events - Success, Failure Audit object access - Failure Audit policy change - Success, Failure Audit privilege use - Failure Audit process tracking - No auditing Audit system events - Success, Failure 1. To me this would seem to be a security risk to allow read access to the security logs but I have to justify this. Is there information within the log file that could be extracted and used to do harm? Does anybody have any ammo related to this? 2. Is there even a way to allow real time read access to the security logs in a windows 2000 environment without giving them domain admin access? q323076 pertains to this on windows 2003 but doesn't mention windows 2000. 3. If we can give them real time read access to the security log file is there a way that we could filter out all entries except the messages that would pertain to user lock outs? List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
