An ASP.Net applicatin may return an “Access Denied” error when it is accessing the Eventlog.
If it is not a GPO permission issue from your domain controller, you may need to check the SDDL string specified in the registry for the EventLog.
For example, if the identity of the App pool is the “Network service” account, “impersonation” in the web.config is true and authentication is enabled, you may need to add a WRITE access (A;;0×2;;;AU) for the authenticated users to the following registry key.
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\CustomSD
(A;;0x2;;;AU) Note: AU means "Authenticated Users"
Similarly, you can grant permissions for the “Network service” account.
(A;;0x2;;;NS) Note: NS means "Network service" account
What (A;;0×2;;;AU) is? You can check out Microsoft’s SDDL (Security Descriptor Definition Language) on MSDN.
Windows 2008 is much easier as long as you are ok giving the user/group read access to all event logs. If that is the case just add them to the Built in Event Log Readers group.
The location on the SDDL has changed in Windows 2008 and is no longer set it via the CustomSD in the registry. You now have to use the command line wevtutil utility.