I'm using this query to check for certain Exchange account changes on my Windows 2008 R2 AD primary:
wevtutil qe Security /q:"*[System/EventID=5136]" /f:text /rd:true /c:1
I'm making a batch file out of it in order to send the event's contents as an attachment via email with Task Scheduler, as outlined in this post: http://blogs.technet.com/b/jhoward/archive/2010/06/16/getting-event-log-contents-by-email-on-an-event-log-trigger.aspx
The problem: I can do wevtutil qe System all day long, but if I do wevtutil qe Security like I need, I need to be at an elevated command prompt (same domain admin user credentials, just CMD ran as admin). So when my scheduled task calls the batch file, even though the task has the option set to "run with highest privileges" under the SYSTEM account, it fails to run in an elevated prompt, meaning it runs into an error: "Failed to open event query. Access is denied."
So either one of these things can fix my issue:
Open up the Security log to be like System log somehow, where you don't need an elevated prompt to access its contents using wevtutil
Run the Scheduled Task action in an elevated prompt, somehow
Some third thing I haven't thought of
Use an account that is a member of the Event Log Readers group.