Why does my Windows Service keep forgetting its password?
The mystery: “The service did not start due to a login failure”
One of our customers reported a very strange problem last week. After about a day of running flawlessly, their windows service would suddenly fail to start after a reboot. The error reported by the Event Viewer hinted at a problem with the service user’s account:
Trying to start the service directly from the Windows Services Control Panel applicationproduced the same unsatisfying result:
The service account’s password had not changed, and the user had no problem logging into the server interactively. Why was the windows service failing to login?
Luckily we were able to get the service going again by re-entering the user’s password:
When doing so, we noticed that the “Log on as a service” right had to be granted again. Very suspicious…
But a mere 24 hours later, the problem resurfaced! Once again, the service failed to start after a reboot.
The problem: Group Policy overwriting Local Policy
The message about the “Log on as a service” right lead us to the root of the problem.
Entering the password in services.msc updated the user’s rights in the machine’s Local Group Policy — a collection of settings that define how the system will behave for the PC’s users. However, since the user and server were part of a domain, those local settings were periodically overwritten by the domain’s group policy, which had not been updated with the new permission. And because the necessary permission “disappeared” on the machine, the service failed the next time it tried to start.
The solution: Modify the Domain Group Policy
To fix the problem, we must update the domain group policy and explicitly give the service user the “Log on as a service” right. To do so:
- Start the Group Policy Management application.
Open Control Panel, navigate to System and Security > Administrative Tools, and double-click Group Policy Management on the left.
(Note: Don’t search for “group” in Control Panel. That will lead you to the “Edit group policy” link, which opens the local group policy!)
- Find your default domain policy on the left. Right-click it and select Edit to bring up the Group Policy Management Editor window.
- On the left, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment and select
the Log on as a service entry on the right.
- Double-click Log on as a service to bring up its Properties window.
Add the user running your windows service to the list and click OK to record the change.
Next time your domain policy is copied to your server, it will bring along the Log on as a service right for the user. You shouldn’t encounter the “logon failure” error again!
A closing note for the folks at Microsoft: A better error message please!
Instead of reporting the generic “logon failure”, why not be more precise and say something like “The user doesn’t have the necessary rights to start the service”? You could provide even more guidance by listing the missing rights.