Hello, I have a service configured to run as a non administrator domain account. This service can be configured to write errors and warning to the application event log. I have tried adding permissions to the application event log for the accounts SID and also AU (authenticated users) using the method below but I can't seem to get it to work. It works if I added the services domain account to the local administrators group but I do not want it part of that group for security reasons. Does anyone have any recommendations on what I should try next? From http://support.microsoft.com/kb/323076/en-us "Modify Your Local Policy to Permit Customization of the Security of Your Event Logs Back up the %WinDir%\Inf\Sceregvl.inf file to a known location. Open %WinDir%\Inf\Sceregvl.inf in Notepad. Scroll to the middle of file, and then put the pointer immediately before [Strings]. Insert the following lines: MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD,1,%AppLogSD%,2 MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD,1,%SysLogSD%,2 Scroll to the end of the file, and then insert the following lines: AppLogSD="Event log: Specify the security of the application log in Security Descriptor Definition Language (SDDL) syntax" SysLogSD="Event log: Specify the security of the System log in Security Descriptor Definition Language (SDDL) syntax" Save and then close the file. Click Start, click Run, type regsvr32 scecli.dll in the Open box, and then press ENTER. In the DllRegisterServer in scecli.dll succeeded dialog box, click OK. Back to the top Use the Computer's Local Group Policy to Set Your Application and System Log Security Click Start, click Run, type gpedit.msc, and then click OK. In the Group Policy editor, expand Windows Setting, expand Security Settings, expand Local Policies, and then expand Security Options. Double-click Event log: Application log SDDL, type the SDDL string that you want for the log security, and then click OK. Double-click Event log: System log SDDL, type the SDDL string that you want for the log security, and then click OK." I appended the following strings to the new policy. (A;;0x3;;;AU) - Authenticated Users (A;;0x3;;;<domain account sid>) - Domain account for the Service.

Hi, I would like to explain the default settings for Application and System Event Log: O:BAG:SYD: *(D;;0xf0007;;;AN) // (Deny) Anonymous:All Access *(D;;0xf0007;;;BG) // (Deny) Guests:All Access (A;;0xf0007;;;SY) // LocalSystem:Full (A;;0x7;;;BA) // Administrators:Read,Write,Clear (A;;0x7;;;SO) // Server Operators:Read,Write,Clear (A;;0x3;;;IU) // INTERACTIVE LOGON:Read,Write (A;;0x3;;;SU) // SERVICES LOGON:Read,Write (A;;0x3;;;S-1-5-3) // BATCH LOGON:Read,Write * only if RestrictGuestAccess is set for this log For more information, please refer to the following link: http://blogs.msdn.com/b/ericfitz/archive/2006/03/01/541462.aspx I would like to suggest you export the following registry key as a backup: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog And delete all the value begin with D expect for(D;;0xf0007;;;AN) and (D;;0xf0007;;;BG) for the following registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application After that, please double check if the value (A;;0x7;;;SID) is correct added for CustomSD. You need to replace the SID with the correct user’s SID. You may refer to the following registry to check the correct SID for the user account you want to assign permissions: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList If the issue persists, would you please send me more information for analyzing. For your convenience, I have created a workspace for you. You can upload the information files to the following link. (Please choose "Send Files to Microsoft") Workspace URL: https://sftasia.one.microsoft.com/choosetransfer.aspx?key=bb269a9a-012d-4c76-9949-4a90aad48366 Password: G0s_v*Lc@)AVjgo Note: Due to differences in text formatting with various email clients, the workspace link above may appear to be broken. Please be sure to include all text between '(' and ')' when typing or copying the workspace link into your browser. Meanwhile, please note that files uploaded for more than 72 hours will be deleted automatically. Please ensure to notify me timely after you have uploaded the files. Thank you for your understanding. Export and send me the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application via the link above. Collect GPMC log ============ 1. On domain controller, click Start -> Run, type GPMC.MSC, it will load the GPMC console. If the GPMC snap-in is not installed. 2. Right click on "Group Policy Result" and choose wizard to generate a report for the problematic computer and user account (please place appropriately). (Choose computer and select the proper user in the wizard) 3. Right click the resulting group policy result and click the "Save Report…" => save report and upload it to the link I provided. Run the command: cacls %SystemRoot%\System32\Winevt\Logs >C:\Dsacls.txt and upload the C:\Dsacls.txt file. Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks Authur. Will do ASAP.

I added the string (A;;0xf0007;;;<account sid>) and it still didn't work. I have uploaded the files you requested. Thanks!

Hi, According to the log, I find that the Authenticated Users only have the following permissions for %SystemRoot%\System32\Winevt\Logs, but no write permission is assigned. Please try to add the write permission for Authenticated Users and check the result. (CI)(special access:) SYNCHRONIZE FILE_GENERIC_READ FILE_READ_DATA FILE_READ_EA FILE_READ_ATTRIBUTES Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

There is not %SystemRoot%\System32\Winevt\Logs on my server. Did you mean %SystemRoot%\system32\config? This is Windows 2003.

Hi, If the operating system is Windows Server 2003, please do check the permission for %SystemRoot%\system32\config and let us know the result. Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.