on Domain Controller Security Logs – how to get at them *without* being a Domain Admin

So, was (semi)recently tasked with getting rid of service accounts out of our Domain Administrators group because, as you know, service accounts in Domain Admins group is BAAAAD! One of the accounts that was there was for our SIEM, to get at Domain Controller security event logs – somewhat important to keep and log and monitor. However, for expediency sake, the service account for this was added to the Domain Admins group…and now we’re trying to get it out of there.

Well…let me tell you, it’s easier said than done!

I should say that this information isn’t new information – it’s pretty standard, but I found it scattered around a few different places, so thought I’d collate what I’d found in one place for others and for future reference for myself!

Please bear in mind that these are the permissions required for the SIEM we use – you might find that what you’re trying to do needs more, or perhaps needs less. Ours is pulling logs across the network – if yours pushes logs or is only accessing them locally, it might be different. Remember, least privilege and all that jazz.

Service Account – so, first things first, create a service account that’s going to have access – name it properly, add a description, all that good stuff. I’ll refer to the service account as (unsurprisingly) <your service account> in this run through.

This only needs to be done once for the domain.

Addition to Domain Groups – add <your service account> account to the following Domain groups:

Event Log Readers – this one should be pretty obvious, it needs to read the Event Log!

Distributed COM Users – had to do some research for this one (not ashamed to admit!) to find out why, this is because a number of SIEM’s are pulling information across the network (server not pushing) so the service account will need to be able to grab the Event Log information from the server (someone correct me if I’m wrong on this!)

Remote Management Users – similar to DCOM Users, service account is going to need to remotely manage the event log, so will need to be in this group in order to do just that

This only needs to be done once for the domain.

Change to Group Policy – there is a slight GPO change that will need to be done:

You’ll need to modify the GPO you have set up for your Domain Controllers – this *should* be a different policy to the “Default Domain Controller Policy”

be a different policy to the “Default Domain Controller Policy” Modify:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment – “Manage auditing and security log” (add <your service account> to this)

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment – “Manage auditing and security log” (add <your service account> to this) This may not be required for all, but it was required for our SIEM

This only needs to be done once for the domain.

WMI Permissions – you will need to modify the following within WMI (this set of instructions is for Windows Server 2012 R2):

Open ‘Computer Management’

Expand out ‘Services and Applications’

Click on ‘WMI Control’

Right-click and select ‘Properties’

Select the ‘Security’ tab

Click on ‘Root’

Click on ‘Security’ (bottom right corner)

Click ‘Add…’ and add <your service account>

Give this account the following rights: Execute Methods – may be required, suggest testing without this permission first Provider Write – may be required, suggest testing without this permission first Enable Account – the bare minimum of what’s required for most products that want your Event Logs (it appears) Remote Enable – may be required, suggest testing without this permission first



This needs to be done on every Domain Controller*.

Registry changes – you’ll need to modify the registry in the following ways:

Modify the permissions on

HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security – give <your service account> ‘Read’ permissions

HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security – give <your service account> ‘Read’ permissions Modify the following registry key: HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\CustomSD Add the following to the end:

(A;;0x7;;;S-1-5-32-562) This is adding the Distributed COM Users (S-1-5-32-562) to be able to do magic things to the Security event log



Now, I found that I also had to run the following (maybe I hadn’t done the registry stuff right the first time) but may:

wevtutil sl security /ca: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)(A;;0x7;;;S-1-5-32-562)

Now, this *should* do the same thing as the modification of the registry…I believe…but it didn’t for me. Both actions were required, as a check of ‘wevtutil gl security’ didn’t show the listing as in the registry key until the ‘wevtuil sl security’ command was run.

This needs to be done on every Domain Controller*.

Service restarts – the following restarts are required, unless you’re planning on restarting the server:

“Windows Remote Management (WS-Management)” service

“Windows Event Log” service

This needs to be done on every Domain Controller*.

*Note – For the things that are marked as “every Domain Controller” – this can be scripted and done via GPO’s, but due to the small number of machines involved and our aversion to scripts in GPO’s, we preferred to do this manually.

So that’s it – from what I’ve found, this is what was required for a service account tied to a SIEM to be able to view and pull Security event log data. I would also assume that this would be very similar for other logs (e.g. Application or System), just with some minor modifications.

If you feel I’ve missed something, or feel I’ve done something wrong, let me know. Always open to comments and criticisms!