Remote Access to Event Viewer for non-Admins – Windows Server 2003/2008

In 2008, this is a doddle. Add the user to the built in Event Viewers group!

In 2003 however, there’s a bit more to it. You’ll need to amend the registry. The security of each log is configured locally through the values in the following registry key:


The Application log Security Descriptor is configured through the following registry value:


Replace “Application” in the above path with “System” for the system log,“Security” for the security log etc. 

The CustomSD value is in SDDL format, as shown below:

O:BAG:SYD:(D;; 0xf0007;;;AN)(D;; 0xf0007;;;BG)(A;; 0xf0007;;;SY)(A;; 0×5;;;BA)(A;; 0×7;;;SO)(A;; 0×3;;;IU)(A;;0×2;;;BA)(A;; 0×2;;;LS)(A;; 0×2;;;NS)

So, find the SID of the user or group you want to be given read access to the log. Navigate to the CustomSD value for that log and append the value with the following:

(A;; 0×1;;;SID)

Note that there are three distinct rights that pertain to event logs: Read, Write, and Clear. These rights correspond to the following bits in the access rights field of the ACE string:

1= Read
2 = Write
4 = Clear

So, for your user to have read access, use 0×1 in the string. For read and write access, use 0×3, for read/write/clear access use 0×7 etc.


This site may also assist in the commands for DSGET which is how you find the SID:



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s