Your network contains an Active Directory domain named adatum.com.
All servers run Windows Server 2008 R2.
The network contains an enterprise certification authority (CA).
You need to ensure that all of the members of a group named Managers can view the event log entries for Certificate Services.
Which snap-in should you use?
A. Active Directory Administrative Center
B. Authorization Manager
C. Certificate Templates
D. Certificates
E. Certification Authority
F. Enterprise PKI
G. Group Policy Management
H. Security Configuration Wizard
I. Share and Storage Management
Correct Answer: G
Explanation/Reference:
All credit goes to Luffy for correcting this one!
Practically the same as G/Q37.
We can make the Group1 group a member of the Event Log Readers Group, giving them read access to all event logs, thus including the Certificate Services events. We can do that by using Group Policy Management.
Reference 1:
It’s a bit hard to find some good, clear reference for this. There’s nothing wrong with doing it yourself, so here’s what I did in VMWare, using a domain controller and a member server. Click along if you want!
In VMWare I have setup a domain controller, DC01 and a member server MEM01, both belonging to the contoso.com domain. I have placed MEM01 in an OU named Events. I have created a global security group, named TESTGROUP, and I want to make it a member of the built-in Event Log Readers group on MEM01.
1. Start the Group Policy Management console on DC01.
2. Right-click the Events OU and choose "Create a GPO in this domain, and Link it here…"
3. I named the GPO "EventLog_TESTGROUP"
4. Right-click the "EventLog_TESTGROUP" GPO and choose "Edit…"
5. Go to Computer Configuration Policies Windows Settings Security Settings and select "Restricted Groups"
6. Right-click "Restricted Groups" and choose "Add Group…"
7. Now there are two ways to do this. We can select TESTGROUP and make it a member of the Event Log Readers group, or we can select the Event Log Readers group and add TESTGROUP as a member. Let’s do the second one. Click the Browse button and go find the Event Log Readers group. Click OK.
8. Click the Browse button next to "Members of this group", search for the TESTGROUP group and add it.
It should look like this now:
9. Click OK.
10. On MEM01 open a command prompt and run gpupdate /force.
11. Check the Event Log Readers group properties and see that the TESTGROUP group is now a member.
Reference 2:
http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administrators-permission-to-read- event-logs-windows-2003-and-windows-2008.aspx
Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008
So if you want to give Non-Administrator users access remotely to Event logs if the Servers or Domain Controllers they are accessing are Windows 2003 follow the steps below.
(…)
Windows 2008 is much easier as long as you are giving the users and groups in question read access to all event logs. If that is the case just add them to the Built in Event Log Readers group.
