Last Update: Dec 03, 2024 | Published: Jul 20, 2012
This is an issue we’ve struggled with in the past day or so. An organization running Windows Server 2008 R2 is delegating control of their DNS servers to specific people, and in order to do so, they added these users to the DNSAdmins built-in group in Active Directory. However, since these users are not members of any administrative groups, while they can view the DNS Event Logs and manage them locally, on the DNS server(s), they cannot do so remotely from another Windows Server 2008 R2 or Windows 7 management workstation.
To demonstrate this in our lab environment, we created a user called DNSManager, and added him to the DNSAdmins group. Once the user logs on to their management workstation and opens Event Viewer, they connect to a remote computer.
This can be easily fixed by adding these users (or group of users) to the “Event Log Readers” built-in group on the servers that you need to have remote access to.
However, while this trick works for most Event Logs, it does NOT work for the DNS Event Log, as can be seen from this screenshot below.
The fix lies in a somewhat complex Microsoft knowledgebase: How to set event log security locally or by using Group Policy in Windows Server 2003
And also in this great blog post: Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008 – Jane Lewis’s Weblog
But the trick is that in Windows Server 2008 R2, the procedure is a lot simpler. Here are the steps:
wevtutil gl "DNS Server" > C:TempDNS_Server.txt
Note: Change the path to fit your needs.
By the way, if you need to perform the same trick on other custom or application logs, you can find out the name of the log by running the following command and examining the resulting text file for the exact name syntax:
wevtutil el > C:TempAll_Logs.txt
whoami /groups | find /i "dnsadmins"
The result should look something like this:
PETRI-LABDnsAdmins Alias S-1-5-21-3903327414-3371247034-3746192915-1102 Mandatory group, Enabled by default, Enabled group
Naturally, the domain name and SID will differ, but you get the point…
You can also use other tools such as PSGetsid from Sysinternals.
Copy the SID, we’ll need it in a moment.
(A;;0x1;;;XXX)
Where XXX is the SID you’ve copied from above.
In this case, I will append the following line:
(A;;0x1;;;S-1-5-21-3903327414-3371247034-3746192915-1102)
O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-21-3903327414-3371247034-3746192915-1102)
wevtutil sl "DNS Server" /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x5;;;SO)(A;;0x1;;;IU)(A;;0x1;;;SU)(A;;0x1;;;S-1-5-3)(A;;0x2;;;LS)(A;;0x2;;;NS)(A;;0x2;;;S-1-5-33)(A;;0x1;;;S-1-5-21-3903327414-3371247034-3746192915-1102)
Going back to the management workstation, open Event Viewer or open DNS management console as the DNSManager user, and behold, you can now view the DNS Event Logs:
In our next blog post, we will show you how to add these settings to Group Policy in order to configure them for multiple servers.