Windows – How to allow a domain user to write the Windows Event Log (2008 R2 or newer) without Local Admin privileges

permissionswindowswindows-event-logwindows-server-2008-r2

We are very concerned about security so we don't grant local admin privileges if not fully required or troubleshooted first.

I have an application provider who needs to write the Windows Event Log. The credentials to run their services are from a generic domain user. This generic user was already made a member of the "Power Users" group but we are still unable to write the Windows Event Log. Of course if I grant membership in the "Local Administrators" group it works fine.

How do I allow a generic user to write to the Windows Event Log on Windows Server 2008 R2 or newer without granting the user Local Admin privileges?

Using other system accounts such as "SYSTEM, NETWORK or LocalService" are NOT an option; it must run with a domain user.

Best Answer

You can do this by modifying the permissions of the registry entries for the Event log using Regedit.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD

This article from Microsoft has the details which are different based on your situation so I won't repeat them here.

Related Solutions

Windows – Useful Command-line Commands on Windows

A little known one is

getmac

It shows the MAC address(es) of your network adapter(s).

Screenshot of running getmac from a Windows commandline window.

Windows – How to set read/write (but not delete) permissions on the Windows Application Event log

I don't think you can get that granular on an event log. How about creating a custom event log for your app and logging to it?

Best Answer

Related Solutions

Windows – Useful Command-line Commands on Windows

Windows – How to set read/write (but not delete) permissions on the Windows Application Event log

Related Topic