Is it possible to create a read-only user account for security auditing purposes?

An organization requires several administrators to have a role of a security auditor. They must have read-only (via network/remote) access to Windows Server 2008 / R2 systems and have permissions to view the server configuration. They must not be able to make any other changes to the server or the network, like restarting or making any configuration chanages.

However I can't find any built-in settings for a user like this. The closest thing is the "Users" user group [1], however from my understanding every user in the domain is in this group and cannot view the domain server's configuration.

So, what are other options of implementing a read-only user account in Windows Server 2008?

[1] http://technet.microsoft.com/en-us/library/cc771990.aspx


No, this is not plausible. It's technically possible to go through and create an account that has read-only privileges to everything, but that would be quite an undertaking, and there's nothing like that which currently exists, to my knowledge.

The issue is that, by default, most of the "configuration" settings you want to view are only accessible at all to administrative users, who can also modify them. So to create a read-only user that can access everything, you're basically looking at modifying everything (file system, registry, application permissions) to add read-only access for a given user.

Do like the rest of the world and have the auditors request information from the admins, if necessary, while the auditors watch the admins retrieve the required information.


going forward, your auditor should be using a system like Varonis to track system changes. Then they have their own interrogation tool that they alone can log into and it'll give them that kind of information.

Changing file system, registry etc permissions may lead to permission problems in future.

Anthony