Account privileges required for Event Log Collection

• Domain Setup
• Workgroup Setup

Domain Setup

For admin users

In a domain setup, the domain admin privilege allows admins to collect logs in Windows devices.

For non-admin users

A service account has to be set up with the least privileges to collect logs in a domain setup. To create a service account with least privileges, follow the steps below.

Step 1: Create a new user

1. Log in to your domain controller with domain admin privileges.
2. Open the Run command and type dsa.msc to open Active Directory Users and Computers.
3. Right click on your domain → New → User.

Step 2: Create a new domain level GPO and link the GPO

1. Open the Run command in domain controller and type gpmc.msc to open Group Policy Management Console.
2. Right click on the domain → Create a GPO in this domain and link it here.
3. Name the GPO as "ELA GPO" and click OK.

Step 3: Add user to Event Log Readers and Distributed COM user

1. Open the Run command in domain controller and type gpedit.msc to open the Group Policy Management Console.
2. Right click on the created GPO → Edit.
3. In the Group Policy Management Editor, click on User Configuration →Preferences → Control Panel Settings → Local Users and Groups.
4. Right click on Local Users and Groups → New → Local Group.
5. Under group name, select Event Log Readers group → Add the current user → Add and select the created user.
6. To add Distributed COM users, repeat step 5 by selecting Distributed COM Users group under group name.

Step 4: Enable WMI and Remote Event Log Management traffic through Firewall

1. Open the Run command and type gpmc.msc to open the Group Policy Management Console.
2. Right click on the GPO created → Edit.
3. Select Computer configuration → Policies → Windows Settings → Security Settings → Windows Firewalls with Advanced Security → Inbound Rules.
4. Right click on Inbound Rules → New Rule and select WMI in predefined field → select all rules → Allow connection.
5. To allow Remote Event Log Management connection, repeat step 4 by selecting Remote Event Log Management in the predefined field.

Step 5: Force the group policy

1. Open command prompt and enter → gpupdate /force in the domain controller.
2. Repeat the above step for all domain computers with admin privilege.

Step 6: Grant necessary WMI permissions

a. For Single Computer (Domain/Workgroup)

1. Search Computer Management from Start menu and select Open as Administrator.
2. Select Services and Applications → WMI controller
3. Right click on WMI controller → Properties → Security tab → select Root\cimv2 in the namespace → Security.
4. Add the non-admin user and provide permissions such as Enable account, Remote Enable, Read Security, and Execute Methods.
5. Select Advanced → User name → Add → Applies to: This namespace and subnamespaces and click OK.

b. For Multiple Domain Computers (Windows servers and workstations)

Grant WMI Namespace Security Rights using GPO (PowerShell script)

Make sure that the user has the privilege to run the script in the workstation. If not, please refer to the steps below to enable the privilege:

In the Local Group Policy Editor,

• Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell.
• Double-click on the Turn on Script Execution option.

Script download link

1. Add the script WMIrights.ps1 file in the shared location in the domain.
2. Right click on the created WMI NameSpace Security Rights GPO → Edit.
3. Select PowerShell Scripts tab → Add.
4. In the Add Script dialog box, click Browse and select the PowerShell script (WMIrights.ps1) file from the shared location and set the parameter as "domainname\username".
5. Click OK to return to the Startup Properties dialog box → Apply → OK.

Configuring Administrative Template Settings

1. On the left pane of the Group Policy Management Editor, navigate to Computer Configuration Administrator Templates System.
2. Under System, select Scripts.
3. On the right pane of the GPO Editor, double-click on Run logon scripts synchronously, and enable it → Apply → OK.
4. Enable Maximum wait time for Group Policy scripts and set the maximum time at 10 seconds.
5. Navigate to Logon under System, on the right pane double-click Always wait for the network at startup and logon, and enable it → Apply → OK
6. Navigate to Group Policy under System, on the right pane double-click Configure Group Policy slow link detection, and enable it → Apply → OK.

Apply the GPO

1. On the left pane of the Group Policy Management Editor, right-click the required GPO → Properties.
2. Navigate to the Security tab and unselect the Apply Group Policy permissions for Authenticated Users → Add.
3. In the dialog box that appears, click Object Types.
4. Enter the names of the required computers and groups and click Check Names.
5. Select the required computers and groups and click OK to return to the properties dialog box.
6. In the Security tab, select "Apply Group Policy" permissions to the selected computers and groups → Apply → OK.
7. Restart the computers and repeat Step 5 to activate the GPOs for granting WMI permissions.

Workgroup Setup

Step 1: Add user to EventLogReader and Distributed COM users

1. Log in to your workgroup with admin privileges and open the Run command and type compmgmt.msc to open Computer Management → Local User and Group.
2. Right click on user and add new user.
3. Right click on Groups → Select distributed COM users → Properties → Add the created user.
4. To add user in Event Log Reader group, repeat step 3 and select Event Log Reader group.

Step 2: Grant necessary WMI permissions:

1. Refer Step 6: Grant necessary WMI permissions.

Step 3: Enable WMI and Remote Event Log Management traffic through Firewall

1. Open the Run command and type wf.msc to open Windows Firewall with Advanced Security.
2. Right-click on Inbound Rules → New Rule and select Windows Management Instrumentation in predefined field → select all rules → Allow connection
3. To allow Remote Event Log Management connection, repeat step 2 by selecting Remote Event Log Management in the predefined field.