Process event log backup without domain administrator permissions

Email It to Me Print this Page
If your service account is not a member of the domain administrator group and you would like the product to process event log backups please perform the following steps:
  1. Add your service account to one of following groups: Print Operators Or Server Operators
  2. Specify Read permissions for the following registry node: HKLM\System\CurrentControlSet\Services\EventLog\Security on all Domain Controllers
  3. Share the folder with event log backups (default is C:\Windows\System32\winevt\Logs ) on all Domain Controllers
  4. Specify read permissions for the event log backup folder (default is C:\Windows\System32\winevt\Logs ) on all Domain Controllers

If you have too many Domain Controllers you can create a new group policy to apply these setting to all Domain Controllers.
To create new group policy please perform the following steps:
 
  1. Run gpmc.msc
  2. Create new policy object and link it to the Domain Controllers OU (right-click the Domain Controllers OU and select Link Existing GPO then select the policy that you've just created)
  3. Edit the policy that you've just created.
  4. Navigate to the Computer Configuration - Policies-Windows Settings-Security Settings-Registry
  5. Right-click the Registry, select Add Key, Select the following key: HKLM\System\CurrentControlSet\Services\EventLog\Security, press OK
  6. Add the Netwrix service account, specify Read permissions
  7. Navigate to the Computer Configuration - Policies-Windows Settings-Security Settings-File System
  8. Right-click the File System, select Add File, Select the following folder: C:\Windows\System32\winevt\Logs, press OK
  9. Add the Netwrix service account, specify Full controll
  10. Navigate to the Computer Configuration - Preferences - Windows Settings - Network Shares
  11. Right-click the Network Shares - New - Network Share
  12. Select Update at the Action drop-down menu, specify Share name (e.g. EventLogs), specify the following folder to the Folder Path area: C:\Windows\System32\winevt\Logs, press OK
After replication, all your domain controllers will have the EventLogs shared folder with event logs in it and the product will be able to process backups.
Was this information helpful?