Unable to record/save security (or any) event log files....

[multiband8303]

Here's the deal get this error message whenever I attempt to save my event viewer files..

Unable to save event log to file (\\servername\instance)- A required privilege is not held by this client...

smells like a permission problem right?...not so fast boys...
(reminder I am logged as domain admin)

Local security policy - user rights assignment, administrators is set....fine, I set it to domain admins, and also make domain admins run as operating system....

(sidenote, this is a terminal server with citrix....I am able to do this on my file server but neither of my terminal servers....)

So I think...may be a GPO issue...considering my Terminal Servers are in a different OU then my File server....But everything looks in order...

HELP AN IDIOT OUT! PLEASE AND THANK YOU IN ADVANCE!

 

[multiband8303]

Not a single person has a clue? I have done my research on this, any help would be greatly appreciated...

 

[Woodie]

To clarify:
this feature/function (export event log to file) works fine when you're using TSclient to connect to the file server, and running eventviewer there.
this feature/function does NOT work when you're using TSClient to connect to a Citrix server (in a different OU), and running eventviewer there.

Sounds to me like a Citrix lock-down sort of thing. IIRC, Citrix offers considerably more lockdown capabilites than TS does.

 

[nweaver]

can you save them locally (as opposed to on a remote server)

 

[jimdwa6538]

I'm having an identical issue on Win2003 as well. Same error:
Unable to save event log to file (\\servername\instance)- A required privilege is not held by this client
As the original poster.

I am unable to save the event log locally as an .evt file. I can save as a .csv or .txt either locally or on a share. I have tried through the Event Viewer on my workstation (connect to another computer) and also through remote desktop. It didn't work from the console either but it is attached to a ethernet KVM switch so it might be emulating remote access.

The servers I have the problem with are not a member of any OUs other than domain computers and they are effected by the default domain policy only (as far as I can tell) the only settings in the event viewer section of the policy is to set the size of the log and retention to overwrite when full.

The size set in the GPO is overridden locally by the MMC snap-in settings. All of the log files are full. And I can't use NTbackup to save them either. The backup kicks off normally but the .evt files never get copied. (could be a restricted file type. I didn't check)

 

[jimdwa6538]

Got it. Solved my own problem. I had to define the "Allow logon through terminal services" policy in the Default Domain Policy GPO and add the users and groups that needed access. You would have to do it to whatever GPO is enforced in your AD. FYI the path to that policy setting is: Default Domain Policy>Computer Configuration>Windows Settings>Security Settings>Local Policies>User Rights Assignment>Allow logon through Terminal Services Right-click>Properties>Brows to user or group