The system is Server 2008R2, not a member of a domain.
Per DISA's STIG, I'm required to set up a separate auditors group for managing event logs.
I figured it was as easy as creating a group, adding a separate user account, and assigning the 'manage auditing and security log' right to the auditors group and removing the administrator's group.
So I did this. The account that's a member of the 'auditors' group is a user. If I log in, I can read the event logs but I am unable to clear them. I'm given an 'access is denied'.
Furthermore, if I log in as an administrator, which shouldn't have any rights to clear the event logs, I am able to.
I verified NTFS permissions are full control for the eventlog service, auditors have full, system has full, and administrators have read/execute.
Where have I failed?