Home / server / Questions / 47366
Accepted
Brandon
Asked: 2009-07-29 17:58:37 +0800 CST

Log On As A Service right keeps disappearing

  • 772

This is a 2-part question:

  1. Is there anything in a Windows Server 2003 domain environment that would cause accounts granted Log On As A Service rights to lose those rights after a few hours?
  2. And if not, am I just going insane?

2 accounts used for Office Communication Server on a Windows 2003 OCS server. Services start fine, then after stopping them, on next start, they are not granted the Log On As A Service right. Grant them, and the services start again.

... and then we repeat. What in the world would cause this?

windows-server-2003

2 Answers

  1. Best Answer

    Every few hours, eh? Hmm... sounds like Group Policy refresh.

    Sounds like you've got a GPO overriding the local security policy.

    Run Resultant Set of Policy (RSoP) on one of the affected server computers and see if you see a GPO doing anything with the "Logon as a Service" user rights assignment. My guess is that you do.

    Either alter the GPO to include the accounts that need the right or change the scope of the GPO not to apply to those computers.

    • 4

  2. Note that this also applies to newer versions of Windows. The instructions to enable a domain user (or group) to retain this right after a GPO refresh are outlined very well here: https://www.coretechnologies.com/blog/windows-services/windows-service-forgets-password/. In case this goes away, I will summarize it here:

    1. Open the Group Policy Management Editor (not the local policy editor)
    2. Find your domain in the forest, right-click on 'Default Domain Policy', just inside it and choose 'Edit'.
    3. Navigate the tree to Computer Configuration/Windows Settings/Security Settings/User Rights Assignment (click there)
    4. Scroll down to 'Log on as a service' and double-click it
    5. Click 'Add User or Group' and add the user you want to have this right
    6. Click OK.
    • 0