7

We are very concerned about security so we don't grant local admin privileges if not fully required or troubleshooted first.

I have an application provider who needs to write the Windows Event Log. The credentials to run their services are from a generic domain user. This generic user was already made a member of the "Power Users" group but we are still unable to write the Windows Event Log. Of course if I grant membership in the "Local Administrators" group it works fine.

How do I allow a generic user to write to the Windows Event Log on Windows Server 2008 R2 or newer without granting the user Local Admin privileges?

Using other system accounts such as "SYSTEM, NETWORK or LocalService" are NOT an option; it must run with a domain user.

I say Reinstate Monica
  • 3,132
  • 7
  • 28
  • 52
MEXLG
  • 71
  • 1
  • 1
  • 3
  • [Writing to the Windows Event Log from an ASP.NET or ASP application fails](https://support.microsoft.com/en-us/kb/2028427) and [How to set event log security locally or by using Group Policy in Windows Server 2003 ](https://support.microsoft.com/en-us/kb/323076) should give you a starting point – John K. N. Dec 30 '16 at 07:40

1 Answers1

3

You can do this by modifying the permissions of the registry entries for the Event log using Regedit. 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\CustomSD
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\System\CustomSD 

This article from Microsoft has the details which are different based on your situation so I won't repeat them here.

uSlackr
  • 6,412
  • 21
  • 37