Your network contains an Active Directory domain named adatum.com. All servers run
Windows Server 2008 R2.
The network contains an enterprise certification authority (CA).
You need to ensure that all of the members of a group named Managers can view the event
log entries for Certificate Services.
Which snap-in should you use?

A.
Active Directory Administrative Center

B.
Authorization Manager

C.
Certificate Templates

D.
Certificates

E.
Certification Authority

F.
Enterprise PKI

G.
Group Policy Management

H.
Security Configuration Wizard

I.
Share and Storage Management

Explanation:
We can make the Group1 group a member of the Event Log Readers Group, giving them
read access to all event logs, thus including the Certificate Services events. We can do that
by using Group Policy Management.
Reference 1)
It’s a bit hard to find some good, clear reference for this. There’s nothing wrong with doing it
yourself, so here’s what I did in VMWare, using a domain controller and a member server.
Click along if you want!
In VMWare I have setup a domain controller, DC01 and a member server MEM01, both
belonging to the contoso.com domain. I have placed MEM01 in an OU named Events. I have
created a global security group, named TESTGROUP, and I want to make it a member of
the built-in Event Log Readers group on MEM01.
Start the Group Policy Management console on DC01.
Right-click the Events OU and choose “Create a GPO in this domain, and Link it here…”
I named the GPO “EventLog_TESTGROUP”
Right-click the “EventLog_TESTGROUP” GPO and choose “Edit…”
Go to Computer Configuration \ Policies\ Windows Settings \ Security Settings and select
“Restricted Groups”
Right-click “Restricted Groups” and choose “Add Group…”
Now there are two ways to do this. We can select TESTGROUP and make it a member of
the Event Log Readers group, or we can select the Event Log Readers group and add
TESTGROUP as a member. Let’s do the second one. Click the Browse button and go find
the Event Log Readers group. Click OK.
Click the Browse button next to “Members of this group”, search for the TESTGROUP group
and add it.
Click OK.
10. On MEM01 open a command prompt and run gpupdate /force.
Check the Event Log Readers group properties and see that the TESTGROUP group is now
a member.
Reference 2)
http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administratorspermission-to-read-event-logs-windows-2003-and-windows-2008.aspx
Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008
So if you want to give Non-Administrator users access remotely to Event logs if the Servers
or Domain Controllers they are accessing are Windows 2003 follow the steps below.
(…)
Windows 2008 is much easier as long as you are giving the users and groups in question
read access to all event logs. If that is the case just add them to the Built in Event Log
Readers group.