System Administration & Network Administration
windows active-directory group-policy windows-event-log eventviewer
Updated Sat, 21 May 2022 10:01:01 GMT

Grant access to Event Viewer "Application and Services Logs" via GPO

My monitoring team has requested to be able to read the logs under "Application and Services" in 2008/2012/2016 event viewer. These are the logs that reside in "%SystemRoot%\System32\Winevt\Logs\". Specifically, they're interested in the "Operations Manager" log, which deals with the MS SCOM client's health and activities.

I've tried:

  • Adding them to the "Event Log Readers" group on each server via GPO. This lets them get to the Application event log and System event log, but not the other logs.
  • Granting them read access to the "%SystemRoot%\System32\Winevt\Logs\Operations Manager.evtx" file
  • Granting them read access to the "%SystemRoot%\System32\Winevt\Logs\" folder.
  • None of these have helped, they get an access denied.

    The ideal solution would be deployable by GPO, not require admin rights, and allow them to connect to a server remotely via Event Viewer without going through Remote Desktop, command line, or powershell.

    I'm stuck. Any help is appreciated!


    Granting permission to the files is not going to provide access.

    If you find that Event Log Readers does not have access to any of the logs under Applications and Services Logs, you can create a list of the log names and use wevtutil to grant your custom permission:

    REM %%i in a cmd script, or %i if running interactively
    FOR /F %%i in (Lognames.txt) DO (
      REM Event Log Readers (S-1-5-32-573) security principal
      wevtutil sl %%i /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;BO)(A;;0x1;;;SO)(A;;0x1;;;S-1-5-32-573)

    You may want to confirm which Event Log Readers the accounts have been added to. For member servers, they need to be added to the local Event Log Readers group. For domain controllers, the domain builtin Event Log Readers group.

    Comments (3)

    • +0 – Ah! I haven't run into wevtutil before. Thank you! — Jan 25, 2018 at 16:38  
    • +0 – To be safe, should I knock something out that catches the existing ChannelAccess value, tack (A;;0x1;;;S-1-5-32-573) on to the end of it, and then set that value as the channel access? — Jan 25, 2018 at 16:40  
    • +0 – @KiltedBuckeye: yes, that would be the safe approach. — Jan 25, 2018 at 16:42