Remotely View Event Log

[ekinike]

I would like to allow a non-IT person the ability to view the Event Log of a 2003 Server box. How can I achieve this without granting admin rights on the local machine?

 

[pgaliardo]

You can create an MMC that accesses only the event viewer on the remote server. Give the user execute rights to the MMC. I'm not sure if you need to alter any rights on the local server. I'll look into that.

 

[porkchopexpress]

A domain user can view the App and Sys event log on a remote PC XP/2000 but not the security log, i don't think they can view a 2003 servers log by default tho.

You know what Jack Burton always says at a time like this...

 

[pgaliardo]

This link explains how to set security on a Windows 2003 Server box:

http://support.microsoft.com/kb/323076/en-us

I've never done this before, so use at your own risk.

 

[ekinike]

Thanks Pgaliardo...that did the trick!

One more challenge... how can I give this user access to stop and start 1 specific service on this server without being an admin?

 

[pgaliardo]

Try this link:

http://support.microsoft.com/kb/325349/en-us

 

[ekinike]

Tried that, but am getting Access Denied when I attempt to add that server's services in an MMC console. Tried using netsvc.exe from a command prompt as well and received "error code 5. access denied."

 

[pgaliardo]

Did you have the user log off then back on after making the changes?

 

[ekinike]

Yes, they did log off and back on. Still cannot access the remote service. ???

 

[pgaliardo]

Sorry ekinike, I came across that link on the microsoft site, but I've never had to configure anything like this. I'm hoping someone else out there has had experience with this.

 

[kmkeshav]

You can do this way:

If your computer is in a domain, you can create a new Group Policy which sets appropriate permissions on the services. You can find the settings in the Group Policy as below:

"Computer Configuration" > "Windows Settings" > "Security Settings" > Click "System Services" > Right-click the service you want to set permissions > "Properties" > Select "Define this policy setting" > "Edit Security"

If you computer is not in a domain, you can create a new security template with the necessary permission settings defined and apply to the computer. Below are the steps:

"Start" > "Run" > Type "MMC" and press Enter > "File" > "Add/Remove Snap-in" > "Add" > Scroll down and select "Security Templates" > Click "Add" > Click "Close" > Click "OK" > Expand "Security Templates" > Expand "C:\Windows\Security\Templates" > Right-click "C:\Windows\Security\Templates" > "New Template" > Provide appropriate name and description > Expand the new template > Click "System Services" > Right-click the service to which you need to set permission and follow the procedure above to complete this.

Apply the newly created templete to the computer.

Hope this will be helpful.

-Keshav

 

[ekinike]

I have already modified the Security Template for the local machine so that certain user accounts has full access to the specified service. However, when attempting to use the netsvc command, I am still receiving an "access is denied" error.

I tried adding one of these users to the Local Administrators group on the machine for testing purposes, but still receive the same error. I can however connect to services using the MMC in this case, but I cannot leave these users as a local admin. When using netsvc with a domain admin account, which is also part of the Loacal Administrators group on that machine, I am able to successfully start and stop the service using both netsvc and mmc. Any ideas?

Again, the intended goal is to allow a user access to start and stop a single designated service on a 2003 Server machine.