I want to let a group of users who aren't members of Enterprise Admins or Domain Admins view the Security logs of all domain controllers (DCs) in a forest. What user rights do I need to apply?
To view the Security log, users must have the Manage auditing and security log user right on each computer whose log they want to view. To grant this right on all your DCs, open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. Create a global group, give it an appropriate name, such as DCSecurityLogViewers, and populate the group with the users who need access to the Security log. Then, simply edit the Default Domain Controllers Policy Group Policy Object (GPO), which is linked to the Domain Controllers organizational unit (OU). To edit this GPO, go to Computer Configuration\Windows Settings\Security Settings\Local Policies\ User rights assignment and assign the Manage auditing and security log right to the DCSecurityLogViewers group. Everyone in the DCSecurityLogViewers group will be able to view the Security log of each DC in the current domain. To grant DCSecurityLogViewers the same access on the DCs in other domains, make the same change to the Default Domain Controllers Policy GPO in each domain.
Be aware that this user right also lets users clear the Security log. You can't give someone the ability to view the Security log without giving them the authority to clear it as well. And you can't restrict administrators from viewing or clearing the Security log—although you can deny administrators the Manage auditing and security log user right, they can grant the right to themselves. If you don't want your users to be able to clear the Security log or to be able to grant the Manage auditing and security log user right to themselves, you must set up a process that frequently exports each computer's Security log to a central database, to which you can then control access as you see fit.