Unfortunately, in Windows 2000, access to the security logs is all or nothing. Any user, including an administrator, that has the right to view the security log also has the right to modify, filter or delete entries within it.
The setting allowing log access is found in the Group Policy Objects (GPO) of the domain controller. It can also be set in the local security policy of individual workstations and servers. By default, only administrators have rights to manage auditing and security logs.
A possible workaround, though a bit complicated and restrictive to your staff, would be to create two groups: one for your security manager as an administrator and another group for your support staff as users for the Windows 2000 boxes. All the events in the logs have corresponding objects that can be accessed programmatically by Active Server Pages (ASP) or .NET. The status of these objects can be picked out by an ASP or .NET script and displayed on a Web site set up on your corporate Intranet, but can only be accessible to your support staff.
The problem with this approach is that the Web site would have to be set up either by your company's developers, or by someone else with serious programming or scripting experience. Your support staff, who wouldn't have admin accounts, would also have limited access to systems they might need to oversee.
- Learn how to make your security log-reviewing efforts a success every time.
This was first published in October 2006