It seems to be a common problem (telling from the msdn newsgroups) that some user/service accounts can’t write to the EventLog under Windows 2003.

That’s what i answered (thought I post it here so i don’t have to repeat myself over and over again :)

Under Windows 2003 the EventLogs are ACLed – they can be found in the registry, e.g.

HKEY_LOCAL_MACHINESystemCurrentControlSetServicesEventlogApplicationCustomSD

the default ACL for the Application Log is:

O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA) (A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)

Nice, eh??

This is SDDL (Security Descriptor Description Language) and means:

O:BA Object owner is Built-in Admin (BA).
G:SY Primary group is System (SY).
D: This is a DACL, rather than an audit entry or SACL.
(D;;0xf0007;;;AN) Deny Anonymous (AN) all access.
(D;;0xf0007;;;BG) Deny Built-in Guests (BG) all access.
(A;;0xf0005;;;SY) Allow System Read and Clear, including DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER (indicated by the 0xf0000).
(A;;0x7;;;BA) Allow Built-in Admin READ, WRITE and CLEAR.
(A;;0x7;;;SO) Allow Server Operators READ, WRITE and CLEAR.
(A;;0x3;;;IU) Allow Interactive Users READ and WRITE.
(A;;0x3;;;SU) Allow Service accounts READ and WRITE.
(A;;0x3;;;S-1-5-3) Allow Batch accounts (S-1-5-3) READ and WRITE.

If you want to extend that ACL – you have to add the SID of the account and an access mask, which is as follows:

0x0001 ELF_LOGFILE_READ Permission to read log files. 
0x0002 ELF_LOGFILE_WRITE Permission to write log files. 
0x0004 ELF_LOGFILE_CLEAR Permission to clear log files.

More Info on SDDL and an article by Michael Howard about security changes in w2k3 can be found here and here.