none
Service fails to start, error 1297 and 7000

    Question

  • I have a lab configured with a single domain controller and one client server.  Both servers are Windows Server 2008 R2 Standard and the functional level of the domain is Windows Server 2008 R2.  After I promoted the domain controller, I did not make any changes to the default domain policy GPO.  My problem is this:  I created a Managed Service Account and a regular user account and tried to use both of these accounts as logon accounts for the "Disk Defragmenter" service on my client server and domain controller.  Each time it failed with the following error:

    In the system event log:

    I also tried moving the client server into a custom OU and blocked inheritance of all parent GPOs, but this did not work either...same error.

    I'm assuming the problem lies with the Default Domain group policy and Default Domain Controllers group policy, I'm just not sure which setting.  I'm at a complete loss, so any help is greatly appreciated.

    jason


    UPDATE:  after further testing, I am receiving the same errors even when the server is not joined to a domain.  After a fresh install of Windows Server 2008 R2, I created a local user and used that account as the logon account for several services. When I started the services, I received the same error.
    • Edited by JE1977 Thursday, March 7, 2013 3:03 PM
    Thursday, March 7, 2013 5:05 AM

Answers

  • Hi Jason,

    The service is possibly missing one of the required privileges and/or the privilege list is incomplete. The required set of priviledges is defined in registry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\defragsvc\RequiredPrivileges

    SeChangeNotifyPrivilege
    SelmpersonatePrivilege
    SelncreaseWorkingSetPrivilege
    SeTcbPrivilege
    SeSystemProfilePrivilege
    SeAuditPrivilege
    SeCreateGlobalPrivilege
    SeBackupPrivilege
    SeManageVolumePrivilege

    These privileges should contain LOCAL SERVICE in them.
    You can check that using secpol.msc. Make sure each of the above listed privileges has LOCAL SERVICE listed in them.
    Open secpol.msc -> drill to Local policies -> User Rights Assignment, find the corresponding privileges and make sure LOCAL SERVICE is listed in them.

    Hope it helps.

    Regards,
    Cicely

    Tuesday, March 12, 2013 2:13 AM
    Moderator

All replies

  • Hi Jason,

    In windows 7 this service is set to "Manual" meaning you will have to go into your services on each affected system and set it to "Automatic" Click Start - Run then type Services.msc  and press enter. once this is up find the Disk Defragmenter and select it and click start, then double click it and click on the Tab that says Logon,Make sure it Logs on using the Local systen account and not a service or user account.

    Good Luck I hope this helps you

    Josh

    MCSA,A+,Network+

    Thursday, March 7, 2013 6:49 AM
  • Josh,

    The systems in my lab are Windows Server 2008 R2, not Windows 7. I was testing the functionality of service accounts within my lab. This issue occurs with not only the Disk Defragmenter service, but other services as well...I tried changing the logon account for the Print Spooler service and received the same error.

    Thanks,

    jason

    Thursday, March 7, 2013 3:00 PM
  • Hi Jason,

    The service is possibly missing one of the required privileges and/or the privilege list is incomplete. The required set of priviledges is defined in registry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\defragsvc\RequiredPrivileges

    SeChangeNotifyPrivilege
    SelmpersonatePrivilege
    SelncreaseWorkingSetPrivilege
    SeTcbPrivilege
    SeSystemProfilePrivilege
    SeAuditPrivilege
    SeCreateGlobalPrivilege
    SeBackupPrivilege
    SeManageVolumePrivilege

    These privileges should contain LOCAL SERVICE in them.
    You can check that using secpol.msc. Make sure each of the above listed privileges has LOCAL SERVICE listed in them.
    Open secpol.msc -> drill to Local policies -> User Rights Assignment, find the corresponding privileges and make sure LOCAL SERVICE is listed in them.

    Hope it helps.

    Regards,
    Cicely

    Tuesday, March 12, 2013 2:13 AM
    Moderator
  • Cicely,

    None of those privs are listed in local sec pol under user Rights Assignments.  What are the human readable settings in secpol that control those registry entries?

    Tuesday, March 26, 2013 4:49 PM
  • That doesn't follow with your instructions above though:

    <i>

    You can check that using secpol.msc. Make sure each of the above listed privileges has LOCAL SERVICE listed in them.
    Open secpol.msc -> drill to Local policies -> User Rights Assignment, find the corresponding privileges and make sure LOCAL SERVICE is listed in them.

    </i>

    That would imply to me that:

    SeChangeNotifyPrivilege
    SelmpersonatePrivilege
    SelncreaseWorkingSetPrivilege
    SeTcbPrivilege
    SeSystemProfilePrivilege
    SeAuditPrivilege
    SeCreateGlobalPrivilege
    SeBackupPrivilege
    SeManageVolumePrivilege

    Can all be found in the path you indicated in SECPOL. 

    Wednesday, March 27, 2013 2:09 AM
  • Hi Brian,

    Sorry, I didn't make it clear :-(

    Please follow this:

    Open secpol.msc, right click on root node (Security Settings) and export the data to a .inf file, open the .inf file in notepad. 

    In the .inf file make sure the above listed privileges contains the SID of the needed object: for LOCAL SERVICE the SID is S-1-5-19.

    Please try it.

    Regards,
    Cicely

    Wednesday, March 27, 2013 2:57 AM
    Moderator
  • Dear Cicely

    We did the Needed steps

    and exported to ,inf file then modified as you suggested

    but when doing import policy of the modified file local.inf

    it gave an error extended error c:\temp\local.inf

    we tried to export again without modifying the file and import again , it worked

    seems we have to write special characters inside inf file and not just add s-1-5-19

    Thursday, April 25, 2013 8:00 AM
  • remove a hyper-v service e add again, everything is back to 100% function with any config.

    an2nathan

    Tuesday, September 17, 2013 5:31 PM
  • Hi

    still i am not able to restart the service using the service account.... Service account has local admin and domain admin previlage

    Thursday, November 6, 2014 9:37 AM
  • Try to change the account in the services

    follow it this way,

    go to services right click on the services that you want to start, go to the properties and then change the account to local system

    apply and then retry to start it will work

    • Proposed as answer by janderson16982 Friday, January 2, 2015 7:04 PM
    Thursday, November 6, 2014 10:18 AM
  • This worked for me!!! Thanks
    Friday, January 2, 2015 7:05 PM
  • I found the simple solution for this issue: Gpedit.msc -> Local security policy:Computer Configuration-> Windows setting- > Security policy-> Local Policy-> User right assignment: "Act as part of the operating system" and add the user which you want to configure for service account.

    Next add the service account and start the service.

    Regards

    Sanjay


    Thursday, September 22, 2016 4:12 PM
  • You'll find a nice table at the below link that provides the missing piece of the puzzle - the translation of the Privilege Names into the Policy Names that you will only see when opening the Local Security Policy MMC:

    https://blogs.technet.microsoft.com/networking/2011/06/16/the-windows-firewall-service-fails-to-start-checking-privilege-access/


    Dale Unroe

    Thursday, May 11, 2017 1:31 PM
  • I've got the same issue, but with the "Audiosrv" service on Win2016. What helped to me

    1. I checked 

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AudioSrv\RequiredPrivileges

    SeChangeNotifyPrivilege
    SeImpersonatePrivilege
    SeIncreaseWorkingSetPrivilege

    2. Then I opened secpol.msc -> Local policies -> User Rights Assignment and

    https://msdn.microsoft.com/ru-ru/en-en/library/windows/desktop/bb530716(v=vs.85).aspx?f=255&MSPPError=-2147217396

    So I have check every  Privileges in my "Audiosrv" list and found, that 

    "SeIncreaseWorkingSetPrivilege"="Increase a process working set" is working on Administrators!!! When the default value are "USERS"! (My old Security domain policy). So I changed Administrators to Users and reboot my server.

    Hope it helps.

    Regards, Mila


    Friday, July 7, 2017 10:18 AM