Question

Locked

Windows Services forget user credentials

By Christer Vaskinn ·
Hi! We have a lot of both servers and other machines that runs Windows Services with custom user credentials. However, some of the services has a tendency to stop, because they forget their password. After a lot of the all mighty Google, they only solutiong I found was adding the username under Log on as Service in the Group Policy. But, I'm not allowed to add anything in the local policy, and I consider it a safety risk to give some accounts Log on as service on the entire network. I really don't want to make a lot of policies just for the computers that run the services either. I'm pretty sure somebody else knows about this problem, and maybe has a solution.

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

It is unlikely

by lowlands In reply to Windows Services forget u ...

that the service "forgets" it's password. it is however possible that the accounts are set in AD to change the password periodically. Once the AD password has expired and/or the password has been changed, the service won't be able to start up again (although it will keep running).

When you assign a (domain) account to a service, it will automatically get the "run as a service" permission, so you shouldn't have to manually set that in a policy.

You really have to options, set the "password never expires" property on the account, or change the password in the service before it expires.

Collapse -

Re: It is unlikely

by Christer Vaskinn In reply to It is unlikely

Yes, you are right. The user does not forget it's password,
but the service stops due to logon failure after a while.
This is not because of a password change on the domain
account, but something with the service manager.

In some cases, the service will look like it's running, but
actually it does nothing. When I try to restart it, I get an
error about logon failure. When I re-enter det password, I
get the standard prompt about the account getting "Log
on as Service privliges". Yet, after a while, history repeats
itself.

The error is persitant on all versions of Windows,
including XP, 2000 and 2003 Server (R2).

Collapse -

never seen it

by lowlands In reply to Re: It is unlikely

But if you get the little pop up again about the "Log on as a service privilige" it looks like somehow that piece disappears.

Next time the problem occurs where you see the logon failure, check in either gpedit.msc or rsop.msc if your user has the Log On As a Service privilige.

It is possible this gets overwritten by a Domain Policy

Collapse -

NT Authority

by CG IT In reply to never seen it

depending upon the service, using a user account credentials for logon isn't recommended because of changing passwords as lowlands pointed out.

most services run under the NT Authority system account. If you add a service, or a program that you want to run as a service, it's best to use the system account [unless it poses a security risk] so that you don't run into expiring password, user accounts that change group memberships, or someone who changes a user account group membership that doesn't really know how the network is setup [the FNGs do this].

Collapse -

Your on to something

by Christer Vaskinn In reply to never seen it

I really think the Domain Policy takes presidence, becase I'm not allowed to edit that setting in the local secure policy.

Back to Networks Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums