locked
Firewall Service does not function after joining to a domain RRS feed

  • Question

  • We are testing a couple workstations running Windows Vista RC1 and after joining the PC to our domain and logging in as the domain Administrator, we cannot start or restart the Windows Firewall service. After reinstalling Vista the first time, we joined the PC to the domain and logged in as a standard user in our IT group and could use the firewall, but once we logged in as domain Administrator, we started getting the message "Windows cannot start the Windows Firewall service.
    Monday, September 25, 2006 9:35 PM

Answers

All replies

  • Got the same problem, after joining domain.  when trying to start the service manually we get Error 1297: A privilege that the service requires to function properly does not exist in the service account configuration.......

    What does this mean? any suggestions ?

    Tuesday, October 24, 2006 1:06 PM
  • I a using rc2 and have not had this issue. are there any group policies on the domain controler for firewalls
    Friday, November 3, 2006 8:11 PM
  • I have the exact same problem. After joining the domain, i can nolonger start the windows firewall. How can i disable the group policy?

     

    Saturday, December 23, 2006 6:43 AM
  • Is there firewall policies on the GPO on the domain., are you an admin or a user ?

    check this link for info on group policies

    http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=1000379&SiteID=17

    Saturday, December 23, 2006 8:09 PM
  • I, too, have this issue. Vista, after joined to a domain, refuses to start the firewall service and gives me the same errors as above. I've disabled our domain policy and rebooted multiple times, as well as run gpupdate on the Vista workstation. Gpedit.msc shows all firewall policies as being "Not configured". I have disconnected the affected Vista machine from the domain and made sure the Domain Profile for "Prohibit use of" setting is "Not configured".

    We are testing Vista for our domain and absolutely need to remote desktop access to Vista, but can't because of the firewall not working. Moreover, we absolutely do not want a firewall in Vista at all on our domain.
    Thursday, December 28, 2006 10:38 PM
  • What version of Vista are you running? My firewall service is started.
    Tuesday, January 2, 2007 5:08 PM
  • W are using Vista RC1... the firewall runs but after joining to our domain it doesn't anymore.  Maybe there is something conflicting in group policy.
    Tuesday, January 2, 2007 5:30 PM
  • Interestingly enough I am having this same problem with the Telephony service after joining my machine to the domain today.

    I am using the RTM release so if this is a problem it is a problem in the final release. I joined the domain however I am not part of an OU or any GPO's other than the default domain policy which I'm checking into now.

     

    Cheers.

    Wednesday, January 3, 2007 1:42 AM
  • Ok after some more investigation it turns out that it is indeed the default domain policy affecting the services login accounts or DCOM possibly. I'm not sure yet which policy it is yet.

     

    What I did was create a OU with Policy Inheritence disabled. I removed my machine from the domain and moved the computer account to the new OU. I ran a gpupdate /force to re-enable the local default GPO and rebooted. Then re-attached to the domain and functionality has remained.


    Cheers,

     

    Kevin 

    Wednesday, January 3, 2007 3:54 AM
  • Kevin,  Have you figured out what GP it was?  What is an OU?  I am having these issues also and cannot find an answer.
    Wednesday, January 17, 2007 4:13 PM
  • I had this same problem and found it was a problem with the user rights for the local service account.  Make sure the group policy has both LOCAL SERVICE and NETWORK SERVICE listed for the Adjust Memory Quotas for a Process right.   I had to reboot my Vista PC after pulling the new policy but all services started.   Hope this helps...

    Thursday, January 25, 2007 6:40 PM
  •  gergy9 wrote:
    Kevin,  Have you figured out what GP it was?  What is an OU?  I am having these issues also and cannot find an answer.

    Quick 30'000 ft view:

    GP = Group Policy - "templates" to centrally configure and administer resources in the domain (security, desktop settings, etc.)
    OU = Organization Unit - used to group similar resources together to simplify administration

    There are all terms related to Active Directory (AD). Windows Vista, like Windows XP, are workstation clients (desktop or laptop) that can be joined to an AD domain and managed using some of these technologies / techniques.

    Hope this helps. Please let us know. Thanks!

    Thursday, January 25, 2007 9:34 PM
  •  Jason340 wrote:

    I had this same problem and found it was a problem with the user rights for the local service account. Make sure the group policy has both LOCAL SERVICE and NETWORK SERVICE listed for the Adjust Memory Quotas for a Process right. I had to reboot my Vista PC after pulling the new policy but all services started. Hope this helps...



    I completed these steps, updated the GP, rebooted the local PC twice and still cannot start the firewall service due to the service missing some privilege. 
    Wednesday, February 7, 2007 2:17 PM
  • I have this same problem but am using Vista Business.  No Beta.  I was wondering if this was ever figured out to the point that the GP was actually identified and the problem was resolved.  I have tried the steps of no inheritance and that worked but as soon as I rejoinn the domain it goes back to the same problem.  Any Help?
    Wednesday, February 7, 2007 7:26 PM
  • No, I never figured out the GP's.  I did however find a work around.  After imaging the machine immediately turn off the firewall.  Then go into firewall with advanced security and turn off the other 2.  Now join it to the domain.  Windows firewall will still no longer work but atleast you can use the pc on the network with no problems.  We use Bit Defender with a local firewall anyway so i could care less if windows firewall works or not.  Stupid way of doing things though.  Hope this helps.
    Wednesday, February 7, 2007 9:48 PM
  • When I was having this problem, I narrowed it down to a right missing in group policy.  Before I joined the PC to the domain (and the firewall servcie worked) I wrote down all rights that Network Service and Local Service had on the PC by looking at the local group policy.  Then I joined the PC to the domain, let the domain policy apply and then compared what was applied to the pre domian policy I wrote down.   Doing this I was able to narrow it down to two policies on the domain that I had to add the Local Service and Network service to (It may be different for you depending on the domain policy).  Remember to add the rights at the appropriate place in the domain policy and not the local policy.  A quick gpupdate and reboot and it should work....Hope this helps further...
    Thursday, February 8, 2007 3:52 PM
  • What policies where yours. I added those to users to the Adjust Memory quotas for a process but cant figure out where else to add those users.
    Friday, February 9, 2007 7:52 PM
  • I added LOCAL SERVICE to 'Adjust memory quotas for a process' AND 'Allow log on locally' - that did the trick for me.
    Tuesday, February 13, 2007 8:05 PM
  • I had to add Local Service and Network Service to "Replace a process level token" to get mine to work.
    Thursday, February 15, 2007 1:52 AM
  • Neither of those links are of any use, because you cant change firewall settings if the darn thing will not start.

    I added LOCAL and NETWORK SERVICEervice to both "Adjust memory quotas" and "Replace a process level token" and "Allow log on locally". Successfully ran gpupdate on the server, then rebooted the workstation. Confirmed on the workstations the permissions propagated, and still cannot get the firewall service to start. This is particularly annoying because the "Diagnostic Policy Service" also fails to start with the same error.

    Is there somewhere i can go to lookup what specific rights Windows Firewall service needs in Vista to end all this guessing?


    Monday, February 26, 2007 7:46 PM
  • This problem has affect one more services. I'am using Vista since Beta2 and sice that Beta the WMDC doesn't reconice my smartphone/PDA after joining a domain. Now, the telephony services won't start (after joining the domain) because  its missing a qualification that is needed to work propperly(error 1297).Remote access auto connectiom manager and remote acces connection manager are depending on this services. So, they won't start either. Al this is working under the network services account.
    I cannot imagen that this problem is not well known by the engineers of microsoft.

    Thursday, March 1, 2007 8:56 AM
  • Alright, the workarround from Kevin aka Spd_Demon worked for me.

    "What I did was create a OU with Policy Inheritence disabled. I removed my machine from the domain and moved the computer account to the new OU. I ran a gpupdate /force to re-enable the local default GPO and rebooted. Then re-attached to the domain and functionality has remained."

    Only the part of re-enable and re-attached to the domain was not necessery for me.
    It's obvious that there must be some adjusting to the domain policy. I read that there are security templates for Vista (and longhorn) but normaly extends those templates the defaults possibility's. (i thought  )

    Grtz. Hans

     

    P.s. I'am ashamed RTFM http://www.microsoft.com/downloads/details.aspx?FamilyID=a3d1bbed-7f35-4e72-bfb5-b84a526c1565&DisplayLang=en 

    Thursday, March 1, 2007 2:17 PM
  • I ran the install again to get mine working.  Kind of drastic but frustration set in!

    Matt.

    Monday, March 12, 2007 10:09 AM
  •  Hi finally got this to work with the below.

    The problem started when I installed Vista Ultimate as an upgrade from an OEM disk from Windows XP on our domain. Not only did the firewall break but so did other services such as

    Remote Access Connection Manager
    Error:7000
    Service Control Manager
    Error:7000
    These stopped the Telephony Service from launching which seemed to have a knock on effect on the dependencies, I managed to get all of these services working and then finally the firewall service started by following the below.

    I opened our domain group policy (If you don't know how, I added below) and added Added "Local Service" & "Network Service" to these User rights assignments...

    Act As part of the operating system
    Adjust memory Quotas for a process
    Allow Log On Locally
    Log on as a service
    Replace a process level token

    (If you are using AD on 2000 Server then some of the names vary, they are similar and work the same)

    On your vista pc open a command prompt and run gpupdate /force

    This will update your group policy locally, re-boot and see if the services have started, if not as mine didn't, from run type secpol.msc and see if the user rights under local policies are in there, you can also see the icons are different shades for policies that have come over from the group policy which helps you to see which ones might have changed or may need changing.

    Now open services run-> services.msc and open windows firewall service and put in "Local Service" no password and close and try starting it.If it still fails you need to check through the policies again and see if Local Service is in the ones that came over from the Group Policies. Mine finally started after I had re-booted with the firewall service set to manual and then I entered "Local Service" and started it successfully, I have no idea why it didn't start on Automatic, but now it does it fine.

    How to open your Domain Group Policy.
    On your Domain Controller, start->Run-> type mmc and hit enter
    Console Add/Remove Snapin
    Click Add
    Find group policy and select
    Browse for your domain policy and choose it (If its not there then you don't have one)
    OK & Finish
    Expand -> Computer Configuration->Windows Settings->Security Settings->Local Policies->User Rights Assignment.
    Make the adjustments to the rights as above.

     



     


     


     

    Tuesday, March 13, 2007 11:04 AM
  • Thanks for pointing me in the right direction. I experienced this problem with the Windows Firewall after joining Vista Business to a Windows 2000 Domain.

    In 2000, the user right 'Adjust memory quotas for a process' is simply called 'Increase quotas'

     

    Wednesday, March 14, 2007 1:42 PM
  • Thanks WayneITDude!
    "gpupdate /force" did not work for me even with a reboot and retrying it multiple ways.

    After leaving the domain and re-joining did the firewall service start without errors.




    P.S. If you do not set a password for local admin, the account is disabled by default (unlike XP).
    P.S.S. If you leave a domain, make sure you have a enabled local account or you will not be able to log in, except in safe mode.
    Tuesday, March 20, 2007 2:26 PM
  • look for domain policy ...                          etc..    Firewall  policy for windows XP SP2 PC   make error  in ViSTA PC  

     

    Tuesday, April 10, 2007 12:11 PM