If your service account is not a member of the domain administrator group and you would like the product to process event log backups please perform the following steps:
- Add your service account to one of following groups: Print Operators Or Server Operators
- Specify Read permissions for the following registry node: HKLM\System\CurrentControlSet\Services\EventLog\Security on all Domain Controllers
- Share the folder with event log backups (default is C:\Windows\System32\winevt\Logs ) on all Domain Controllers
- Specify read permissions for the event log backup folder (default is C:\Windows\System32\winevt\Logs ) on all Domain Controllers
If you have too many Domain Controllers you can create a new group policy to apply these setting to all Domain Controllers.
To create new group policy please perform the following steps:
- Run gpmc.msc
- Create new policy object and link it to the Domain Controllers OU (right-click the Domain Controllers OU and select Link Existing GPO then select the policy that you’ve just created)
- Edit the policy that you’ve just created.
- Navigate to the Computer Configuration – Policies–Windows Settings–Security Settings–Registry
- Right-click the Registry, select Add Key, Select the following key: HKLM\System\CurrentControlSet\Services\EventLog\Security, press OK
- Add the Netwrix service account, specify Read permissions
- Navigate to the Computer Configuration – Policies–Windows Settings–Security Settings–File System
- Right-click the File System, select Add File, Select the following folder: C:\Windows\System32\winevt\Logs, press OK
- Add the Netwrix service account, specify Full control
- Navigate to the Computer Configuration – Preferences – Windows Settings – Network Shares
- Right-click the Network Shares – New – Network Share
- Select Update at the Action drop-down menu, specify Share name (e.g. EventLogs), specify the following folder to the Folder Path area: C:\Windows\System32\winevt\Logs, press OK
After replication, all your domain controllers will have the Event Logs shared folder with event logs in it and the product will be able to process backups.