Hi All, We have only one administrator to manage the servers now. The administrator login as Domain Administrator to do Administrator jobs. Now, we want to assign another IT Tech to do certain administrator jobs, for example, checking Event log, etc. We do not want to let the IT Tech to login as Domain Administrator. Can anybody give me some idea about how to assign Admin jobs to another IT Tech? Thanks in advance.

There is no detailed answer that can be provided to tell you exactly how to do this since you havent provided all of the requirements. In general, you accompish this task by a number of ways. For instance, you'll need to modify some rights and permissions in the domain. Let's say you have a group of techs that need the ability to reset passwords in the domain. Well, the best way is to create a group, add the users to the group, then use delegate the appropriate permissions to that group. If you want to provide one or people the ability to read event logs, your lucky on that one. There is a built in group called "Event Log Readers" that already has the necessary rights. Visit: anITKB.com, an IT Knowledge Base.

Hi JM, Thank you so much for your help. We have about 10 windows servers including windows 2003 & 2008. Currently, just only one peoeple can login as Administrator on each server to check Event Log. Now, I would like to let two more IT people to check the Event log on all the servers, I want them just read only, I don't want them to change the setting or clear Event log. According to your email, there is a built in group called "Event Log Readers", I am using Windows 2003 server as a domain controller. I could not find out the group. Would you please let me know how I could find out the group? Thanks a lot.

Hi, The “Event Log Readers” group is not available in Windows Server 2003. To achieve the same goal, you may use the Group Policy “Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Manage auditing and security log” in the Default Domain Controllers Policy GPO. In this way, the user will have all access rights on event logs including read, write, and clear, so you need to modify the permissions manually. For the detailed information, please refer to the following Microsoft KB article: How to set event log security locally or by using Group Policy in Windows Server 2003 http://support.microsoft.com/kb/323076 In addition, you may also refer to the following Microsoft TechNet blog to more inforamtion: Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008 http://blogs.technet.com/b/janelewis/archive/2010/04/30/giving-non-administrators-permission-to-read-event-logs-windows-2003-and-windows-2008.aspx Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

@learnstudy....yeah sorry...I had assumed Win 2008. However, the information that Arthur_Li provided will also work for this scenario. My recommendation is for your administrators to each use their own unique account, which can be a member of the domain admins group. You should change the password for the "Administrator" and monitor this account for changes (via Auditing/Security Logs). To follow best practices, everyone should be logging into systems with their own accounts. Visit: anITKB.com, an IT Knowledge Base.

Hello Li & JM, thank you so much for your reply. I have read the articles which Li provided. According to the articles's approachs, I have to change Registry. Is there any another ways to solve my issue? thanks a lot.

I beleive that your only options are to either modify the registry or modify rights as described above. The reason why it works as an admin is because admins already have necessary rights assigned. I can't think of any other way to accomplish this. Visit: anITKB.com, an IT Knowledge Base.