It seems to be a common problem (telling from the msdn newsgroups) that some user/service accounts can’t write to the EventLog under Windows 2003.
That’s what i answered (thought I post it here so i don’t have to repeat myself over and over again :)
Under Windows 2003 the EventLogs are ACLed – they can be found in the registry, e.g.
the default ACL for the Application Log is:
This is SDDL (Security Descriptor Description Language) and means:
O:BA Object owner is Built-in Admin (BA).
G:SY Primary group is System (SY).
D: This is a DACL, rather than an audit entry or SACL.
(D;;0xf0007;;;AN) Deny Anonymous (AN) all access.
(D;;0xf0007;;;BG) Deny Built-in Guests (BG) all access.
(A;;0xf0005;;;SY) Allow System Read and Clear, including DELETE, READ_CONTROL, WRITE_DAC, and WRITE_OWNER (indicated by the 0xf0000).
(A;;0x7;;;BA) Allow Built-in Admin READ, WRITE and CLEAR.
(A;;0x7;;;SO) Allow Server Operators READ, WRITE and CLEAR.
(A;;0x3;;;IU) Allow Interactive Users READ and WRITE.
(A;;0x3;;;SU) Allow Service accounts READ and WRITE.
(A;;0x3;;;S-1-5-3) Allow Batch accounts (S-1-5-3) READ and WRITE.
If you want to extend that ACL – you have to add the SID of the account and an access mask, which is as follows:
0x0001 ELF_LOGFILE_READ Permission to read log files.
0x0002 ELF_LOGFILE_WRITE Permission to write log files.
0x0004 ELF_LOGFILE_CLEAR Permission to clear log files.