Is it possible to grant Read-Only Access to all Event Logs on Domain Controllers

You can place the users from the "parent" domain into a global group in the parent domain, then nest that global group into the "Administrators" domain local group in the "child" domain. That will give you the functionality you're looking for (assuming a stock set of AD permissions on the child domain). "Administrators" gets named with the same rights as "Domain Admins" in all the permissions on the AD.

As far as permissions on shares and such that you've created-- that's your problem. >smile<

Edit:

The "BUILTIN\Administrators" group in the child domain does have the same rights to Active Directory as the "Domain Admins" group in the Active Directory. You're not talking about rights to Active Directory in your comment-- you're talking about a default group nesting that gets performed on the Local Users and Groups on member computers. The kind of thing you commented on is what I mean when I said "that's your problem". It's an easy one to fix, too.

This is a job for "Restricted Groups" policy!

So, let's say that you want to modify the behaviour of the local "Administrators" group nesting domain-wide in the child domain.

• Create and link a GPO at the root of the child domain (actually, link it to a sub-OU with a test computer in it first, then when you know it's working, link it to the root of the domain).
• In that GPO, open "Computer Settings", then "Windows Settings", "Security Settings", and "Restricted Groups".
• Right-click "Restricted Groups" and do an "Add Group".
• Click "Browse" in the "Add Group" dialog, key in "Administrators" (not "Domain Admins" or anything else), and click "Check Name" and "OK". Click "OK" to dismiss the "Add Group" dialog.
• In the "Administrators Properties" dialog, click the "Add" button at the top, beside the "Members of this Group" list-box.
• Click "Browse" in the "Add Member" dialog and key in "Domain Admins" and click "Check Name" and "OK". In the "Add Member" dialog, you'll see "CHILDDOMAINNETBIOSNAME\Domain Admins" listed. Click "OK".
• In the "Administrators Properties" dialog, click the "Add" button at the top, beside the "Members of this Group" list-box again.
• Click "Browse" in the "Add Member" dialog and key in the name of the global group in the parent domain that you created to hold users who are getting "Administrator" rights in the child domain. Before you click "Check Name", click "Locations" and choose your parent domain in the "Locations" dialog and click "OK". Then click "Check Name" and "OK". In the "Add Member" dialog, you'll see "PARENTDOMAINNETBIOSNAME\Group name you created" listed. Click "OK".

When this GPO applies to computers, their local "Administrators" group will get the groups "CHILDDOMAINNETBIOSNAME\Domain Admins" and "PARENTDOMAINNETBIOSNAME\Group name you created" nested into it automatically.

You can definitely do what you're looking for. It's just matter of modifying the default security descriptors on the specific log (or logs) you want to grant access to.

In Windows Server 2008 there is a built-in group "Event Log Readers", that can be used to grant other users or groups rights to read the event logs. This doesn't help you with Windows Server 2003. Be aware that there is a hotfix for a mistake in the groups.xml file that can cause Group Policy Preferences to fail to populate the "Event Log Readers" group. (I would use "Restricted Groups" policy, personally...)

You can also use the wevtutil command to modify the security descriptors on event logs in Windows Server 2008, too.

For your Windows 2003 machines (and Windows 2008 machines, if you want), each Event Log has configuration information stored in subkeys of HKLM\System\CurrentControlSet\Services\EventLog. To modify the default security descriptor for a given log, located the corresponding subkey, add a REG_SZ value named CustomSD, and specify the security descriptor in security descriptor definition language (SDDL) format. Microsoft's KB323076 describes the CustomSD value, and KB914392 describes SDDL notation (though it fails to mention the Read, Write, and Clear rights (which are described in the EventLog registry key reference).