Have you ever had a situation where you have a service account configured on a Windows box and everything works great… until you reboot the server? After the reboot though, the service doesn’t start. When you open the services MMC, you discover that the status is in fact shown as not started.
So you right click and try to start it. But that doesn’t work. You get a “service did not start due to login failure error.” That’s odd.
So you open the properties of the service, retype in the password and voila! It works…
… until you reboot again at which point you repeat the entire process over again. What’s going on here?
It turns out that if you defined any settings “Log on as a service” right in a GPO (most likely the Default Domain Policy), that policy will trump any local server settings (just as GPOs are supposed to).
So to ensure that the server will “remember” the password across reboots, you need to do the following:
- On a domain controller, open the Group Policy Management Console
- Open the policy where you configured the “login and as service” right (again, most commonly this is done in the Default Domain Policy)
- Browse the tree to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies/User Rights Assignment -> Log on as a service
Edit the Log on as a service setting
- If you are experiencing the problem described in this HOWTO, the “Define these policy settings” will be enabled and you will have domain accounts specified in the list. These are the ONLY accounts that are allowed to login as a service in your domain. You should further find that the domain account specified in the service in question is not listed here. You’ll need to add it.
- Once you’ve done this, refresh your group policy on the server in question. You can run rsop.msc (Resultant Set of Policy) on the server to validate that the new account is present
- That should be it. Now when you reboot the server, the service will start normally on next boot!