Windows Server 2008

Grant DNSAdmins the Right to View DNS Event Log Entries Remotely on Windows Server 2008 R2


This is an issue we’ve struggled with in the past day or so. An organization running Windows Server 2008 R2 is delegating control of their DNS servers to specific people, and in order to do so, they added these users to the DNSAdmins built-in group in Active Directory. However, since these users are not members of any administrative groups, while they can view the DNS Event Logs and manage them locally, on the DNS server(s), they cannot do so remotely from another Windows Server 2008 R2 or Windows 7 management workstation.

The Problem: Access Denied when Viewing Event Logs Remotely

To demonstrate this in our lab environment, we created a user called DNSManager, and added him to the DNSAdmins group. Once the user logs on to their management workstation and opens Event Viewer, they connect to a remote computer.

Connecting to a Remote Computer
Figure 1: Connecting to a Remote Computer

In the “Another Computer” area, they type the name of the remote machine. In this case, it’s a remote Domain Controller that is called DC1, which also hosts the DNS service.

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

Select Computer to View Event Logs on
Figure 2: Select Computer to View Event Logs on

Once connected, they attempt to open one of the Event Logs, but get an “Access is Denied (5)” message:

Access Denied Error Message when Viewing Event Logs Remotely
Figure 3: Access Denied Error Message when Viewing Event Logs Remotely

The Solution: Granting DNSAdmins to the Event Log Readers Group

This can be easily fixed by adding these users (or group of users) to the “Event Log Readers” built-in group on the servers that you need to have remote access to.

Adding DNSAdmins to the Event Log Readers Group
Figure 4: Adding DNSAdmins to the Event Log Readers Group

Now, if the DNSManager user logs off and logs back on to the remote management machine, he can view the relevant event logs.

Access Granted to DNSAdmins
Figure 5: Access Granted to DNSAdmins

The Problem: Access Denied to DNS Event Logs

However, while this trick works for most Event Logs, it does NOT work for the DNS Event Log, as can be seen from this screenshot below.

Access Denied Error
Figure 6: Access Denied error when Viewing DNS Event Logs

This problem persists even if the user opens up the DNS management console, while they CAN manage the DNS properties, zones and records, as shown below.

DNS Management Console works find
Figure 7: DNS Management Console works find

Yet when they attempt to view the remote DNS Event Log, they still get the “Access is denied” error.

Unable to Access DNS Event Logs
Figure 8: Unable to Access DNS Event Logs

The Solution: Granting Remote Access to DNS Event Logs

The fix lies in a somewhat complex Microsoft knowledgebase: How to set event log security locally or by using Group Policy in Windows Server 2003

And also in this great blog post: Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008 – Jane Lewis’s Weblog

But the trick is that in Windows Server 2008 R2, the procedure is a lot simpler. Here are the steps:

  1. Open Command Prompt with elevated permissions (Run as Administrator), and run the following command:
    ​wevtutil gl "DNS Server" > C:\Temp\DNS_Server.txt

    Note: Change the path to fit your needs.

    By the way, if you need to perform the same trick on other custom or application logs, you can find out the name of the log by running the following command and examining the resulting text file for the exact name syntax:

    ​wevtutil el > C:\Temp\All_Logs.txt
  2. Next open the text file from the above path, and look for the channelAccess: entry.

    ChannelAccess entry

    Figure 9: ChannelAccess entry
  3. Now we need to find the SID of the DNSAdmins group. To do so, if the logged on user is a member of that group, you can find the SID by typing the following command (assuming this is Windows Server 2008 R2 or Windows 7):
    ​whoami /groups | find /i "dnsadmins"

    The result should look something like this:

    ​PETRI-LAB\DnsAdmins                    Alias            S-1-5-21-3903327414-3371247034-3746192915-1102 Mandatory group, Enabled by default, Enabled group

    Naturally, the domain name and SID will differ, but you get the point…

    You can also use other tools such as PSGetsid from Sysinternals.

    Copy the SID, we’ll need it in a moment.

  4. Going back to the text file, append the following text string to that long line:

    Where XXX is the SID you’ve copied from above.

    In this case, I will append the following line:


    Adding Your SID

    Figure 10: Adding Your SID
  5. Next, copy the entire text from the O:BAG… part till the end of the line (including your recent addition):
  6. And finally, run the following command in the Command Prompt, pasting the above string just after the /ca: parameter:
    ​wevtutil sl "DNS Server" /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-21-3903327414-3371247034-3746192915-1102)

    Run The Command

    Figure 11: Run the command

    You can now close the text file, we don’t need it anymore. No need to save it.

    Going back to the management workstation, open Event Viewer or open DNS management console as the DNSManager user, and behold, you can now view the DNS Event Logs:

    Problem solved, the DNS Event Logs show up

    Figure 12: Problem solved, the DNS Event Logs show up

    Problem Solved

    Figure 13: Problem solved, the DNS Event Logs show up
  7. Summary

    In our next blog post, we will show you how to add these settings to Group Policy in order to configure them for multiple servers.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: