PrepAway - Latest Free Exam Questions & Answers

Which snap-inshould you use?

Your network contains an enterprise certification authority (CA)that runs Windows Server 2008 R2
Enterprise.
You need to ensure that all of the members of a group named Group1 can view the event log entries for
Certificate Services.
Which snap-inshould you use?

PrepAway - Latest Free Exam Questions & Answers

A.
Certificate Templates

B.
Certification Authority

C.
Authorization Manager

D.
Active Directory Users and Computers

E.
TPM Management

F.
Security Templates

G.
Group Policy Management

H.
Enterprise PKI

I.
Certificates

Explanation:
All credit goes to Luffy for correcting this one!
Practically the same as K/Q14.
We can make the Group1 group a member of the Event Log Readers Group, giving them read access to all
event logs, thus including the Certificate Servicesevents. We can do that by using Group Policy
Management.
Reference 1:
It’s a bit hard to find some good, clear reference for this. There’s nothing wrong with doing it yourself, so here’s
what I did in VMWare, using a domain controller anda member server. Click along if you want!
In VMWare I have setup a domain controller, DC01 and a member server MEM01, both belonging to the
contoso.com domain. I have placed MEM01 in an OU named Events. I have created a global security group,
named TESTGROUP, and I want to make it a member of the built-in Event Log Readers group on MEM01.
1. Start the Group Policy Management console on DC01.
2. Right-click the Events OU and choose “Create a GPO in this domain, and Link it here…”
3. I named the GPO “EventLog_TESTGROUP”
4. Right-click the “EventLog_TESTGROUP” GPO and choose “Edit…”
5. Go to Computer Configuration \ Policies\ Windows Settings \ Security Settings and select “Restricted
Groups”
6. Right-click “Restricted Groups” and choose “Add Group…”
7. Now there are two ways to do this. We can select TESTGROUP and make it a member of the Event Log
Readers group, or we can select the Event Log Readers group and add TESTGROUP as a member. Let’s
do the second one. Click the Browse button and go find the Event Log Readers group. Click OK.
8. Click the Browse button next to “Members of this group”, search for the TESTGROUP group and add it.
It should look like this now:

9. Click OK.
10.On MEM01 open a command prompt and run gpupdate /force.
11.Check the Event Log Readers group properties andsee that the TESTGROUP group is now a member.

Reference 2:
http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administrators-permission-to-read-eventlogs-windows-2003-and-windows-2008.aspx
Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008
So if you want to give Non-Administrator users access remotely to Event logs if the Servers or Domain
Controllers they are accessing are Windows 2003 follow the steps below.
(…)
Windows 2008 is much easier as long as you are giving the users and groups in question read access to all
event logs. If that is the case just add them to the Built inEvent Log Readers group.


Leave a Reply