Composing SDDL for Defining Custom Event Log Permissions

Q: Is there a way to give an account read access to the Security event log without giving it administrator authority? I need to monitor the Security event logs for five or six domain controllers (DCs) within our network. My boss wants me to have a background service running under my profile (I don't have domain administrator privileges) that would access the DCs' Security event logs and compile them into a database that I can access and parse daily. I have tried many different event log monitoring applications, but they all require me to be logged on as a domain administrator at all times, which my boss doesn’t want.

A: You definitely don’t need administrator-level authority. In Windows 2000 Server, you can give yourself the ability to view and clear the Security log by granting your account the Manage auditing and security log right. There’s no way in Win2K Server to give you the ability to view the log without giving you the ability to clear the log. However, Windows Server 2003 has a more granular permission capability. In Windows 2003, access to each event log is governed by permissions defined for that event log under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog registry subkey. For example, permissions for the Security log are defined in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security subkey. In that subkey, you can add a REG_SZ value called CustomSD, which stands for custom security descriptor. When you perform an operation on an event log, Windows checks the permissions on the corresponding CustomSD value to determine if the action should be allowed.

To configure the registry permissions in CustomSD, you have to use the Security Descriptor Definition Language (SDDL). If you aren’t familiar with SDDL, it's a way to describe ACLs by using text strings. The Microsoft article “Security Descriptor String Format” at provides a good explanation of how it works. If you have a general knowledge of SDDL, then you just need to know the correct hexadecimal values to plug into the access rights field of the SDDL entry.

To give an account read access to the Security log, simply turn on the first bit of the access rights field, which is 0x1 in hexadecimal. For example, to give the LocalService account read access to the Security log, the SDDL for CustomSD is (A;; 0x1;;;LS).

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.