I am trying to create an account for a user with limited access. However, I want them to be able to view, filter, and save the audit logs. I have granted them access to audit the machine in the Local Security Policy (this is a standalone machine, no Active Directory/group policies don't apply). However, when I check the Event Viewer with this account, all I get is the following error repeatedly:
The description for Event ID (560) in Source (security) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer........ (abridged version)
So, with this new limited account, I can actually open up the security audit log in event viewer, but I repeatedly get that error, and it doesn't list anything under the *EDIT* SOURCE COLUMN. I'm guessing that there is a permission that I must grant the user, but I'm not sure upon which file/directory to apply it. Does anyone have any ideas?
Last edited by herrmag; 02-26-2007 at 10:01 PM.
I figured it out. Apparently the user must be part of the Backup Operators group. Then you grant the Backup Operators permission to "Manage auditing and security log" in the Local Security Policy.
For some reason, adding the user in the local security policy did not give the user full functionality of the security audit logs, nor did making the user a Power User and adding the Power Users group in the Local Security Policy. The Backup Operators group must have specific permissions associated with them that no other group does, even the Power Users group. At least that's my guess, as I haven't yet done any detailed research on what specifically the Backup Operators group's permissions are.