I am having trouble getting a logon script to write to a custom event log I've created on a new 2008r2 server. We migrated from 2003 last year and our logon script had an eventcreate command which would log every user's logon and logoff under an event log named "scripts". We have two domains, both use 2008r2, and the domain with the *more* restrictive logon policies does this flawlessly.
The process goes as follows:
* User logs in to any domain machine
* Logon script runs and calls eventcreate to create an event with the user's account as the event source (i.e. user "example" would create an event with source "example_logon" in the "scripts" event log)
* User finally logs off
* Logoff script runs and calls eventcreate to create an event with the user's account (i.e. in this case "example_logoff" would appear in the log file)
I have copied the steps from the other domain which works into the new domain but it still will not create the correct sources after logging on/off unless the user is a domain admin. I've tried looking through tons of places but I can't see where this is going wrong for me. I think it's a permissions issue, because once I'm logged in as a regular user, I can use eventcreate to log events to the custom log but I cannot use eventcreate to log events to the same place if I specify the source using the /SO switch. Every time I use /SO switch, I get "access denied". Leaving /SO off it logs successfully. I can also add new registry keys to \\DomainController\HKLM\System\CurrentControlSet\services\eventlog\scripts from a non-elevated command prompt as a regular user, so the registry permissions seem to be set correctly.
From domain2 (the one that works), if a user logs on for the first time, the logon script will log the event correctly with no problems whatsoever. It creates the event source on the first logon *and* logoff without having to use any elevated prompting or admin rights assignments. On domain1 with the same security and permissions (as far as I can tell) I have nothing but "access denied" during the logon/logoff process. Can someone help me figure out where my permissions might be wrong?
EDIT: I neglected to mention that the steps I've taken are
* create a new key under HKLM\system\CurrentControlSet\services\eventlog
* add authenticated users with read permissions to the eventlog key
* add authenticated users with full permissions to the script key under eventlog
* added a new string to the script key with name "CustomSD" and value "O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x7;;;SO)(A;;0x3;;;IU)(A;;0x3;;;SU)(A;;0x3;;;S-1-5-3)(A;;0x3;;;S-1-5-33)(A;;0x7;;;S-1-5-32-573)(A;;0x7;;;AU)"
* rebooted DC
Just for good measure I also moved the eventlog .evt file out from the %windir% path and put it in a separate folder which is less restrictive for users as far as permissions go. This wasn't specified in any documentation I read, I was just trying it in case it was a file system permissions problem.