Viewing Win2k3 Event logs remotely in a Win2k Domain



Tom Mariani
07-09-2005, 11:51 PM
Hello:
We have a Win2k Domain, with about 5 Win2k3 Servers, the problem is that
we get "access denied" when trying to view the event logs remotly. I am
attaching the the Win2k3 server as a domain admin level acct, and have
followed MS article 323076 (setting event log perms locally) to no avail. Can
anyone help with this stubborn issue??
--
Tom Mariani

Steven L Umbach
07-09-2005, 11:51 PM
Can you access via local logon or via Remote Desktop? Can you access the
administrative shares on those computers such as C$? That would indicate
that you do indeed have administrator access. If not, check that the domain
admins group is in the local administrators group on those servers. Also
check that for some reason your account in not in the guests group on those
servers as guests group may be denied access to Event Viewer logs. I would
also enable auditing of privilege use on those servers in Local Security
Policy [secpol.msc] to see if any failures for privilege use could be
causing the problem. --- Steve


"Tom Mariani" <tom.mariani(doNotSPAM)@dcss.ca.gov> wrote in message
news:6E63AE57-84B6-41A2-9C51-04BF6C2133D4@microsoft.com...
> Hello:
> We have a Win2k Domain, with about 5 Win2k3 Servers, the problem is that
> we get "access denied" when trying to view the event logs remotly. I am
> attaching the the Win2k3 server as a domain admin level acct, and have
> followed MS article 323076 (setting event log perms locally) to no avail.
> Can
> anyone help with this stubborn issue??
> --
> Tom Mariani

Tom Mariani
07-09-2005, 11:52 PM
I have verified that I can access the admin shares and that none of the
domain accts are a member of any of the Guest groups (either local or
Global). I am not the only one with this issue, it affects anyone who tries
to view the logs remotely. I can view them if I remote into the Server
(Remote Desktop, Term Svcs), but If I use manage or the event viewer applet
and connect to the Server that way, we cannot view the logs, Access Denied.
It happens on all of our Win2k3 servers.

"Steven L Umbach" wrote:

> Can you access via local logon or via Remote Desktop? Can you access the
> administrative shares on those computers such as C$? That would indicate
> that you do indeed have administrator access. If not, check that the domain
> admins group is in the local administrators group on those servers. Also
> check that for some reason your account in not in the guests group on those
> servers as guests group may be denied access to Event Viewer logs. I would
> also enable auditing of privilege use on those servers in Local Security
> Policy [secpol.msc] to see if any failures for privilege use could be
> causing the problem. --- Steve
>
>
> "Tom Mariani" <tom.mariani(doNotSPAM)@dcss.ca.gov> wrote in message
> news:6E63AE57-84B6-41A2-9C51-04BF6C2133D4@microsoft.com...
> > Hello:
> > We have a Win2k Domain, with about 5 Win2k3 Servers, the problem is that
> > we get "access denied" when trying to view the event logs remotly. I am
> > attaching the the Win2k3 server as a domain admin level acct, and have
> > followed MS article 323076 (setting event log perms locally) to no avail.
> > Can
> > anyone help with this stubborn issue??
> > --
> > Tom Mariani
>
>
>

Steven L Umbach
07-09-2005, 11:52 PM
Hmm.

Have you modified the security policy of those W2003 servers from default,
possibly as to what registry keys are available remotely? The other thing to
check is that the remote registry service is running on those servers. ---
Steve


"Tom Mariani" <tom.mariani(doNotSPAM)@dcss.ca.gov> wrote in message
news:A3B7C33E-2D1B-40B0-9E0A-406E2B5426DA@microsoft.com...
>I have verified that I can access the admin shares and that none of the
> domain accts are a member of any of the Guest groups (either local or
> Global). I am not the only one with this issue, it affects anyone who
> tries
> to view the logs remotely. I can view them if I remote into the Server
> (Remote Desktop, Term Svcs), but If I use manage or the event viewer
> applet
> and connect to the Server that way, we cannot view the logs, Access
> Denied.
> It happens on all of our Win2k3 servers.
>
> "Steven L Umbach" wrote:
>
>> Can you access via local logon or via Remote Desktop? Can you access the
>> administrative shares on those computers such as C$? That would indicate
>> that you do indeed have administrator access. If not, check that the
>> domain
>> admins group is in the local administrators group on those servers. Also
>> check that for some reason your account in not in the guests group on
>> those
>> servers as guests group may be denied access to Event Viewer logs. I
>> would
>> also enable auditing of privilege use on those servers in Local Security
>> Policy [secpol.msc] to see if any failures for privilege use could be
>> causing the problem. --- Steve
>>
>>
>> "Tom Mariani" <tom.mariani(doNotSPAM)@dcss.ca.gov> wrote in message
>> news:6E63AE57-84B6-41A2-9C51-04BF6C2133D4@microsoft.com...
>> > Hello:
>> > We have a Win2k Domain, with about 5 Win2k3 Servers, the problem is
>> > that
>> > we get "access denied" when trying to view the event logs remotly. I am
>> > attaching the the Win2k3 server as a domain admin level acct, and have
>> > followed MS article 323076 (setting event log perms locally) to no
>> > avail.
>> > Can
>> > anyone help with this stubborn issue??
>> > --
>> > Tom Mariani
>>
>>
>>

Tom Mariani
07-09-2005, 11:52 PM
I am starting to look into expanding the Reg keys avail remote policy to see
if that will allow us access. Yes we do have the remote registry service
running. Any idea what keys I will need to add to local policy?

"Steven L Umbach" wrote:

> Hmm.
>
> Have you modified the security policy of those W2003 servers from default,
> possibly as to what registry keys are available remotely? The other thing to
> check is that the remote registry service is running on those servers. ---
> Steve
>
>
> "Tom Mariani" <tom.mariani(doNotSPAM)@dcss.ca.gov> wrote in message
> news:A3B7C33E-2D1B-40B0-9E0A-406E2B5426DA@microsoft.com...
> >I have verified that I can access the admin shares and that none of the
> > domain accts are a member of any of the Guest groups (either local or
> > Global). I am not the only one with this issue, it affects anyone who
> > tries
> > to view the logs remotely. I can view them if I remote into the Server
> > (Remote Desktop, Term Svcs), but If I use manage or the event viewer
> > applet
> > and connect to the Server that way, we cannot view the logs, Access
> > Denied.
> > It happens on all of our Win2k3 servers.
> >
> > "Steven L Umbach" wrote:
> >
> >> Can you access via local logon or via Remote Desktop? Can you access the
> >> administrative shares on those computers such as C$? That would indicate
> >> that you do indeed have administrator access. If not, check that the
> >> domain
> >> admins group is in the local administrators group on those servers. Also
> >> check that for some reason your account in not in the guests group on
> >> those
> >> servers as guests group may be denied access to Event Viewer logs. I
> >> would
> >> also enable auditing of privilege use on those servers in Local Security
> >> Policy [secpol.msc] to see if any failures for privilege use could be
> >> causing the problem. --- Steve
> >>
> >>
> >> "Tom Mariani" <tom.mariani(doNotSPAM)@dcss.ca.gov> wrote in message
> >> news:6E63AE57-84B6-41A2-9C51-04BF6C2133D4@microsoft.com...
> >> > Hello:
> >> > We have a Win2k Domain, with about 5 Win2k3 Servers, the problem is
> >> > that
> >> > we get "access denied" when trying to view the event logs remotly. I am
> >> > attaching the the Win2k3 server as a domain admin level acct, and have
> >> > followed MS article 323076 (setting event log perms locally) to no
> >> > avail.
> >> > Can
> >> > anyone help with this stubborn issue??
> >> > --
> >> > Tom Mariani
> >>
> >>
> >>
>
>
>

Steven L Umbach
07-09-2005, 11:52 PM
Can you access the registry remotely at all on those servers?? For
comparison purposes below is the list of what my Windows 2003 server
[default domain controller] shows in it's security policy as. Two that come
to mind as possibilities if you do not have them listed are
Software\Microsoft\Windows NT\CurrentVersion and
System\CurrentControlSet\Services\Eventlog. If you are comfortable with a
packet sniffer, that may prove worthwile to see what is going on. I like
Etheral but it requires it and Wincap installation. Netmon may show
something helpful on your server end when you are trying to access the event
log. --- Steve


Remotely accessible registry paths:----------------

System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Server Applications
Software\Microsoft\Windows NT\CurrentVersion

Remotely accessible registry paths and subpaths:------------

System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog
System\CurrentControlSet\Services\Wins
SYSTEM\CurrentControlSet\Services\CertSvc


"Tom Mariani" <tom.mariani(doNotSPAM)@dcss.ca.gov> wrote in message
news:5A42F3FF-4609-41D6-AF3F-8B7F718F8266@microsoft.com...
>I am starting to look into expanding the Reg keys avail remote policy to
>see
> if that will allow us access. Yes we do have the remote registry service
> running. Any idea what keys I will need to add to local policy?
>
> "Steven L Umbach" wrote:
>
>> Hmm.
>>
>> Have you modified the security policy of those W2003 servers from
>> default,
>> possibly as to what registry keys are available remotely? The other thing
>> to
>> check is that the remote registry service is running on those
>> ervers. ---
>> Steve
>>
>>
>> "Tom Mariani" <tom.mariani(doNotSPAM)@dcss.ca.gov> wrote in message
>> news:A3B7C33E-2D1B-40B0-9E0A-406E2B5426DA@microsoft.com...
>> >I have verified that I can access the admin shares and that none of the
>> > domain accts are a member of any of the Guest groups (either local or
>> > Global). I am not the only one with this issue, it affects anyone who
>> > tries
>> > to view the logs remotely. I can view them if I remote into the Server
>> > (Remote Desktop, Term Svcs), but If I use manage or the event viewer
>> > applet
>> > and connect to the Server that way, we cannot view the logs, Access
>> > Denied.
>> > It happens on all of our Win2k3 servers.
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> Can you access via local logon or via Remote Desktop? Can you access
>> >> the
>> >> administrative shares on those computers such as C$? That would
>> >> indicate
>> >> that you do indeed have administrator access. If not, check that the
>> >> domain
>> >> admins group is in the local administrators group on those servers.
>> >> Also
>> >> check that for some reason your account in not in the guests group on
>> >> those
>> >> servers as guests group may be denied access to Event Viewer logs. I
>> >> would
>> >> also enable auditing of privilege use on those servers in Local
>> >> Security
>> >> Policy [secpol.msc] to see if any failures for privilege use could be
>> >> causing the problem. --- Steve
>> >>
>> >>
>> >> "Tom Mariani" <tom.mariani(doNotSPAM)@dcss.ca.gov> wrote in message
>> >> news:6E63AE57-84B6-41A2-9C51-04BF6C2133D4@microsoft.com...
>> >> > Hello:
>> >> > We have a Win2k Domain, with about 5 Win2k3 Servers, the problem
>> >> > is
>> >> > that
>> >> > we get "access denied" when trying to view the event logs remotly. I
>> >> > am
>> >> > attaching the the Win2k3 server as a domain admin level acct, and
>> >> > have
>> >> > followed MS article 323076 (setting event log perms locally) to no
>> >> > avail.
>> >> > Can
>> >> > anyone help with this stubborn issue??
>> >> > --
>> >> > Tom Mariani
>> >>
>> >>
>> >>
>>
>>
>>


Viewing Win2k3 Event logs remotely in a Win2k Domain