Composing SDDL for Defining Custom Event Log Permissions

Q: Is there a way to give an account read access to the Security event log without giving it administrator authority? I need to monitor the Security event logs for five or six domain controllers (DCs) within our network. My boss wants me to have a background service running under my profile (I don't have domain administrator privileges) that would access the DCs' Security event logs and compile them into a database that I can access and parse daily. I have tried many different event log monitoring applications, but they all require me to be logged on as a domain administrator at all times, which my boss doesn’t want.

A: You definitely don’t need administrator-level authority. In Windows 2000 Server, you can give yourself the ability to view and clear the Security log by granting your account the Manage auditing and security log right. There’s no way in Win2K Server to give you the ability to view the log without giving you the ability to clear the log. However, Windows Server 2003 has a more granular permission capability. In Windows 2003, access to each event log is governed by permissions defined for that event log under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog registry subkey. For example, permissions for the Security log are defined in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security subkey. In that subkey, you can add a REG_SZ value called CustomSD, which stands for custom security descriptor. When you perform an operation on an event log, Windows checks the permissions on the corresponding CustomSD value to determine if the action should be allowed. . . .