PrepAway - Latest Free Exam Questions & Answers

Which snap-in should you use?

Your network contains an enterprise certification authority (CA) that runs Windows Server
2008 R2 Enterprise.
You need to ensure that all of the members of a group named Group1 can view the event
log entries for Certificate Services.
Which snap-in should you use?

PrepAway - Latest Free Exam Questions & Answers

A.
Certificate Templates

B.
Certification Authority

C.
Authorization Manager

D.
Active Directory Users and Computers

E.
TPM Management

F.
Security Templates

G.
Group Policy Management

H.
Enterprise PKI

I.
Certificates

Explanation:

We can make the Group1 group a member of the Event Log Readers Group, giving them
read access to all event logs, thus including the Certificate Services events. We can do that
by using Group Policy Management.
Reference 1)
It’s a bit hard to find some good, clear reference for this. There’s nothing wrong with doing it
yourself, so here’s what I did in VMWare, using a domain controller and a member server.
Click along if you want!
In VMWare I have setup a domain controller, DC01 and a member server MEM01, both
belonging to the contoso.com domain. I have placed MEM01 in an OU named Events. I have
created a global security group, named TESTGROUP, and I want to make it a member of
the built-in Event Log Readers group on MEM01.
Start the Group Policy Management console on DC01.
Right-click the Events OU and choose “Create a GPO in this domain, and Link it here…”
I named the GPO “EventLog_TESTGROUP”
Right-click the “EventLog_TESTGROUP” GPO and choose “Edit…”
Go to Computer Configuration \ Policies\ Windows Settings \ Security Settings and select
“Restricted Groups”
Right-click “Restricted Groups” and choose “Add Group…”
Now there are two ways to do this. We can select TESTGROUP and make it a member of
the Event Log Readers group, or we can select the Event Log Readers group and add
TESTGROUP as a member. Let’s do the second one. Click the Browse button and go find
the Event Log Readers group. Click OK.
Click the Browse button next to “Members of this group”, search for the TESTGROUP group
and add it.
It should look like this now:

Click OK.
On MEM01 open a command
prompt and run gpupdate /force.
Check the Event Log Readers
group properties and see that
the TESTGROUP group is now a
member.

Reference 2)
http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administratorspermission-to-read-event-logs-windows-2003-and-windows-2008.aspx
Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008
So if you want to give Non-Administrator users access remotely to Event logs if the Servers
or Domain Controllers they are accessing are Windows 2003 follow the steps below.
(…)
Windows 2008 is much easier as long as you are giving the users and groups in question
read access to all event logs. If that is the case just add them to the Built in Event Log
Readers group.


Leave a Reply