Is it possible to grant Read-Only Access to all Event Logs on Domain Controllers

I would like to grant Read-Access to event logs on all my domain controllers, ideally at a domain level using GPO. I would like members of a group to be able to view the Application Log, the System Log, and several logs in "Application and Services logs" such as "Directory Service" and "File Replication Service." What would be the best strategy of going about this?

Please note that most of my Domain Controllers are 2008 R2


Solution 1:

There is a built in group for just this purpose. Event Log Readers. Add users to the group that you want to have read access to the logs. You can definitely do this via GPO. You can modify the Default Domain Controllers Policy (or create one at the same level) if you want it to only apply to your DCs. You want to update the Event Log Readers group with the users you want to be able to read event logs on your DCs.

enter image description here

Solution 2:

It's definitely feasible, depending on if you're running Server 2003 SP1 and newer or not. If so you can modify some registry settings that allow specific access to Event viewer as well as apply local GPO settings for users.

Microsoft has a Document Here out there showing the steps to take to do exactly what you want to do.