Service startup fails with "Access Denied" after Win2K3 domain joi

I have a clean install of RC1 Ultimate on a test workstation. Everything was
working fine until I joined it to our Win2K3 domain. Now, several services
fail to start with "Access Denied" errors -- removing Network Access, Windows
Audio, Etc. I experienced a similar problem with Pre-RC1 (Build 5536) which
is why I tried a clean install instead of an upgrade to RC1.

Any thoughts/guidance would be greatly appreciated!

 

Can you be more specific about what services are not getting started ? Is it
lanmanserver, browser, netlogon etc ? Can you post the output of sc query
<servicename> ?

Also, please check the event-log if there is anything which stands out as
out-of-the-ordinary and post it back.

Thanks ~
Prashanth

 

Thank you for the reply!

The following "automatic" services fail at startup:
Base Filtering Engine
DHCP Client
Diagnostic Policy Service
IKE and AuthIP IPsec Keying Modules
IPsec Policy Agent
Network Service List
Network Location Awareness
Thread Ordering Server
Windows Audio
Windows Firewall
Windows Time
Windows Media Center Service Launcher
Windows Media Player Network Sharing Service

Is there a particular service (or list of services) you would like the
results posted for? The output of "sc query" only shows the running
services. Please advise.

Following is the list of (unique) errors / warnings in the system log:
DHCP Client terminates with "Access Denied"
Windows Time service terminates with "Access Denied"
Resource Publication Service fails
DCOM netprofm 1068 Error
Group Policy results warning
DNS registration warning
Thread Ordering Server service terminates with "Access Denied"
Windows Audio service fails Thread Ordering Server dependency
Base Filtering Engine service terminates with "Access Denied"
Windows Firewall service fails Base Filtering Engine dependency
IKE and AuthIP IPSec Keying service fails Base Filtering Engine
dependency
Diagnostic Policy Service terminates with "Access Denied"
Network Location Awareness service terminates with error 3221226008
IPsec Policy Agent service fails Base Filtering Engine dependency
Network List Service fails Network Location Awareness dependency
WMPNetworkSvc fails with registry error 0x80070006
BITS Client fails firewall state set with error 2147944153
WinHTTP Web Proxy Auto-Discovery Service fails DHCP Client dependency

The above list is in chronological order. I have filtered and saved the
full system log from a fresh boot and would be happy to provide that to you
if it would help.

 

Hello, McFly?

 

I am having the exact same error when joining a domain. It is the same with a
fresh install or and upgrade on two different machines.

Lee

 

I have having the exact same issue, it happens with a fresh install or a
upgrade on two differnt machines.

 

We are having the exact same problem. Our workaround has been to creat
a Vista group that does not receive GPO updates from the server. W
then of course add Vista machines to that group before joining them t
the network

Its cheesy, but it works

 

I am having the same problem. I have tried adding a Vista Group to th
DC that does not revieve GPO updates and adding the Vista machines t
this group prior to joining them. It didn't work for us. It appear
to work at first, but after you reboot the machine once or twice pos
joining the domain, the services just fail to start.

Has anyone else come up with a better solution

 

any update on this? I found this thread via google and my company is
having the exact same problems but it is not with every computer we
join to the network. All of our machines are also windows xp pro. So
far this looks like the best answer we have.

 

I have found the problem for me. Is anyone else running Symante
Antivirus 10.1 (more specifically 10.1.0.396). After uninstalling thi
Antivirus the problem did not go away. But once we installe
10.1.5.5000 (labeled as 10.2) the problem went away. The services di
not crash and I was able to restart them. Good Luck

 

Hello all!
I had the same problem an hour ago But i`ve found how to fix it for
me.
When BFE service starts it also start a group of dependent services
(you can see them on Dependencies tab in service props) with "IPSec
policies agent" service as one of them.
In my case the problem was that "IPSec policies agent" service was set
to auto startup via domain GPO. There also were set default permissions
in GPO for this service - SYSTEM - full control, Administrators - Full
control, INTERACTIVE - read. I`ve had to turn on object auditing to
find out what user account is trying to start BFE. In Security logs
i`ve found records saying that sc (service control) is trying to start
service under LOCAL SERVICE account!!! As I later understood - BFE
could not start itself because it could not start a dependent service
IPSec Policies agent. BFE starts IPSec! so, if we look info LOGIN AS
tab in BFE service we will find out that it is starting under LOCAL
SERVICE account! And in my GPO ipsec service has permissions on it to
be started only by SYSTEM and Administratos.
As you understand, the decision was to modify GPO and to give full
control permission to LOCAL SERVICE account on IPSec Policies agent
service.
Now it works!
Hope This HELPS! And good luck!


From BELARUS

 

Thank you for sharing your experience with us.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com

Hello all!
I had the same problem an hour ago But i`ve found how to fix it for
me.
When BFE service starts it also start a group of dependent services
(you can see them on Dependencies tab in service props) with "IPSec
policies agent" service as one of them.
In my case the problem was that "IPSec policies agent" service was set
to auto startup via domain GPO. There also were set default permissions
in GPO for this service - SYSTEM - full control, Administrators - Full
control, INTERACTIVE - read. I`ve had to turn on object auditing to
find out what user account is trying to start BFE. In Security logs
i`ve found records saying that sc (service control) is trying to start
service under LOCAL SERVICE account!!! As I later understood - BFE
could not start itself because it could not start a dependent service
IPSec Policies agent. BFE starts IPSec! so, if we look info LOGIN AS
tab in BFE service we will find out that it is starting under LOCAL
SERVICE account! And in my GPO ipsec service has permissions on it to
be started only by SYSTEM and Administratos.
As you understand, the decision was to modify GPO and to give full
control permission to LOCAL SERVICE account on IPSec Policies agent
service.
Now it works!
Hope This HELPS! And good luck!


From BELARUS