Re: Cannot open log for source {0} -- again

• Previous message: Joe Kaplan \(MVP - ADSI\): "Re: ASP.NET Application intermittently fails to start"
• In reply to: Nicole Calinoiu: "Re: Cannot open log for source {0} -- again"
• Next in thread: Nicole Calinoiu: "Re: Cannot open log for source {0} -- again"
• Reply: Nicole Calinoiu: "Re: Cannot open log for source {0} -- again"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 4 Apr 2005 08:30:13 -0700

> When you add an existing user to a group, the new
> group membership will not take effect until the
> next time the access token for the account is
> generated. For typical user accounts, this will
> be at the next login. For the IUSR account, this
> is far more difficult to control. The best way to
> ensure that the token is refreshed is to reboot the
> machine.

I was finding this to be the case. I also found that doing an iisreset
after changing group membership solved the problem.

I have since been able to determine that the offending element in the
whole thing seems to be the Guests group. If the IUSR account is a
member of the Guests group, regardless of any other group membership
then writing to the event log fails (i.e. IUSR could be a member of
Administrators as well as Guests and it would still fail). I removed
IUSR from all groups and it worked. So apparently it has nothing to do
with the IUSR account but rather the Guests group. There must be an
explicit "deny" somewhere in the system for that group that is causing
the failure, but I have been unable to locate it with regmon, filemon,
and auditing.

> BTW, adding a user to the administrators groups
> is not exactly the safest way to gain write access
> to the application event log...

I'm fully aware of that. Unfortunately, given the thundering silence
that is the response to this problem it becomes necessary to try
various combinations to see what might work so one can compare the
differences between account and group permissions in an attempt to
figure out exactly what is necessary to make it work. I realize using
the Administrators group or Administrator account is not a long-term
solution, it was simply another data point in trying to narrow down the
problem.

• Previous message: Joe Kaplan \(MVP - ADSI\): "Re: ASP.NET Application intermittently fails to start"
• In reply to: Nicole Calinoiu: "Re: Cannot open log for source {0} -- again"
• Next in thread: Nicole Calinoiu: "Re: Cannot open log for source {0} -- again"
• Reply: Nicole Calinoiu: "Re: Cannot open log for source {0} -- again"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]