SharePoint Bending: Allow Non-Administrator Users to Write to the Event Log

Windows SharePoint Services 3.0
Recently, a colleague asked me about an error that happened after he moved a WSS 3.0 Web site from the development to the production server.

When logged in as an administrator, all pages can be accessed successfully. But as a regular user, I got an “Access is denied” page when opening some pages containing some custom web parts with the following exception detail: System.ComponentModel.Win32Exception: Access is denied. Below it, in the stack trace, another exception popped: InvalidOperationException: Cannot open log for source ‘Some_webpart’. You may not have write access.

This happens because non-administrator users do not have—by default—the permission to write to the event log. So for this problem, just give the non-administrator users permission to write to the event log. If only it is that simple. Unfortunately, there are no easy (user-friendly) ways. To do this, follow the following steps:

  1. Fire up the registry editor which is usually located in C:\WINDOWS\regedit.exe.
  2. Navigate to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application.
  3. Look for the entry CustomSD, it should contain string similar to:

    O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA) (A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)

    The string is formatted as an SDDL, you can find more information about the format at Microsoft’s site.

  4. Now tell Windows to give the event log’s read-write permission to all authenticated users. To do this, append the string (A;;0x3;;;AU) to the entry CustomSD thus it becomes:

    O:BAG:SYD:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0x7;;;BA) (A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;AU)

After following the above steps, retry visiting the pages on your SharePoint site. Now the “access denied” problem should have gone. Hope this will help you running your MOSS 2007 or WSS 3.0 installation on Windows 2003 Server.

Disclaimer: remember to backup your registry before making any changes. I am not responsible for your system damages because of any registry errors.

  • chrisr

    Looks like this could cause a huge security issue. I don’t at all like the idea of giving every user in my organization read access (let alone RW) to the event logs on the servers. I find that utterly crazy. SharePoint needs to be made to get out of the way of applications that are hosted within not make the entire network change…

  • denni

    Hi Chrisr,
    I agree that this should be avoided. It’s better to impersonate a user with write access than giving all users the permission to.
    The tip here I provided just for a workaround since he couldn’t make the code change immediately.