Various services not starting

Various services are not starting on numerous servers upon reboot.  The error is "windows could not start the service on local computer. error 1069:  the service did not start due to logon failure.  

**It never was an issue since recently.  I've had these servers with these services running fine with no problems for the longest time.
**  if I blank out the password under the log on tab and start the service, the service runs fine.  For some services, I put in the known password and the service starts up fine.  But why is it doing that in the first place?  
**seems like any service that is a ntservice\user or a service with the log on as, as a local user won't start
**running windows 2012 R2 Standard
**called Microsoft and they said the services are a third party service so they can't help
**called various vendors and they said something in windows isn't allowing those services to start so call Microsoft.
**looked under local account policy and the log on as a service.  Only domain\administrator is showing and the add users or groups is grayed out.  But this was always the setting and never caused us any issues before.  

Antivirus server- the below service won't start
nt service\sqlanys_sem5
nt service\semwebsrv
nt service\semsrv
nt service\msql$veeam
**blanking the password fixes the issue

OCR server-the below service wont' start
.\ktserviceuser  
**ktserviceuser is a local user
**putting in the known password for this account fixes the issue.
nt service\msql$sqlexpress
nt service\reportserver$sqlexpress

OCR server 2- the below service won't start
nt service\mssql$sqlexpress

VMware (vcenter) server- the below services won't start
nt service\various VMware services

Please help!
meredithadamsAsked:
Who is Participating?
 
oBdAConnect With a Mentor Commented:
The issue is definitely this: "looked under local account policy and the log on as a service.  Only domain\administrator is showing and the add users or groups is grayed out."
You have a domain GPO eradicating the "Logon as a Service" user right required for your service accounts.
When you update the logon using the MMC, the MMC automatically sets the "Logon as a Service" right for the account in question. This right will remain in place until the next time the policies are refreshed. Once the service is started while the account is allowed to do so, it will keep running, even if the user right is removed in the meantime.
Easy test: update the logon information for a service. Open secpol.msc, check the "Logon as a service" user right, and you'll see the account in question.
Open an administrative command prompt, enter gpupdate.exe /target:computer /force.
Reload the Security Settings in secpol.msc, and the permission will be gone.
To resolve, make sure that besides any local or domain account you need, "NT SERVICE\ALL SERVICES" has this permission as well.
It would be best to create a local group "LogonAsServiceUserRight" or whatever, add the required user accounts to that group, and give the permission (through the GPO) to that group, so you won't have to change the GPO whenever you change a service.
0
 
Senior IT System EngineerIT ProfessionalCommented:
meredithadams,

I had this problem before due to the someone in my IT team changed the Group policy at the domain level which denies everything or anly allowing specific group / AD users to Log on as service.

Since the service account cannot login to the server (test it wirh simple RDP session), hence the service account cannot start the services required.
0
 
meredithadamsAuthor Commented:
oBDa,  that was the problem.  A preexisting GPO I didn't know about all was edited and only allowed domain\administrator in the log on as a service.  So, what I've done is just create a new gpo with all the service accounts that all the servers use and applied it to the servers OU.

However, I am running into a problem.  One of my servers uses a local account as its log on as service.  when I tried to add the local user to the gpo, it says "the following accounts could not be validated, computername\localaccountuser."

I can't seem to find anything on the web that shows me how to do this.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
oBdACommented:
Don't use the object picker; just type (only) the user name (no computername) into the field.
But as I said: the better solution is to assign the user right to a local group, add all the accounts to that group, and add the group to the GPO.
0
 
meredithadamsAuthor Commented:
that worked for the localuser, thanks.  But running into another problem.  The services are not starting by itself even though its set to automatic.  I have to manually start it now.   Is there a fix to this?

Yes, I will look into the local group soon but doing this now as it is the quickest way to fix.
0
 
meredithadamsAuthor Commented:
Please disregard my last question.  The services started automatically upon 2nd reboot.
0
 
meredithadamsAuthor Commented:
thanks oBdA on your detailed descriptions.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.