search cancel

Altiris services on the Notification Server will fail to start on a regular basis do to log on failure

book

Article ID: 162906

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Customer reported that the Altiris Service account stopped working on his system, meaning the Altiris Services started to fail to run due to logging failures with his currently in-use service account.

After looking at the System Event logs, we found the following entry:

Log Name:      System
Source:        Service Control Manager
Date:          2/4/2016 9:14:45 AM
Event ID:      7041
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Description:
The AeXSvc service was unable to log on as MyDomain\svc_smp with the currently configured password due to the following error:
Logon failure: the user has not been granted the requested logon type at this computer.
 
Service: AeXSvc
Domain and account: MyDomain\svc_smp
 
This service account does not have the required user right "Log on as a service."
 
User Action
 
Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user right is assigned to the Cluster service account on all nodes in the cluster.
 
If you have already assigned this user right to the service account, and the user right appears to be removed, check with your domain administrator to find out if a Group Policy object associated with this node might be removing the right.
 

Cause

We expect that the Service account (which in most cases is the AppID account) is part of the "Log on as a service" security setting. In many cases the following ones should also be part of this security setting:

Classic .NET AppPool
DefaultAppPool
The AppID Account or Service Account
Network Service
NT Services\All Services
SMP Server AppPool
Symantec Agent AppPool
Symantec Task Server AppPool

In some instances GPOs can remove this type of permissions and end users may not be aware of it.
 

Resolution

After we looked at the System Event log we were able to see the reason:
This service account does not have the required user right "Log on as a service."

The message itself says why. The account used for our services needs to be part of the "Log on as a service" security permission for the Local Security Settings.
Customer was not sure why this started happening but I explained him that this is a Windows requirement and it is Windows itself asking for this right for his service account.

We added his service account to this "Log on as a service" security permission:
1. From the Run command, type secpol.msc.
2. From the window that opens, go to Security Settings>Local Policies>User Right Assignment
3. On the main frame, double-click on "Log on as a service" and under the Local Security Setting tab, add the desired service account.
4. Save changes