Skip to content

Brakertech

 
  • Pentesting
  • Our Services
  • About

HowTo: Fix Event Log Error “service account does not have the necessary user right “Log on as a service.”

Steve Stonebraker
June 28, 2010

In this case my error looked something like:

"The Tomcat6 service was unable to log on..."
This service account does not have the necessary user right "Log on as a service."

Because I was running Tomcat6 on an active directory domain controller (windows server 2003) I was unable to grant “Log on as a service” rights.

The FIX:

Run the service as “NT AUTHORITY\NetworkService” (no quotes) with a blank password.

Login as a Service with NT AUTHORITY NETWORK SERVICE

Even after following the recommend options by Microsft Technet Article http://technet.microsoft.com/en-us/library/cc739424%28WS.10%29.aspx Nothing would work (full text of article below), however User “NT AUTHORITY\NetworkService” worked right away.

Add the Log on as a service right to an account

Updated: August 22, 2005

Applies To: Windows Server 2003 R2

Add the Log on as a service right to an account

To add the “Log on as a service” right to an account on your local computer
  1. Open Local Security Policy.
  2. In the console tree, double-click Local Policies, and then click User Rights Assignments.
  3. In the details pane, double-click Log on as a service.
  4. Click Add User or Group, and then add the appropriate account to the list of accounts that possess the Log on as a service right.

To add the “Log on as a service” right to an account for a Group Policy object, when you are on a workstation or server that is joined to a domain

  1. Click Start, point to Run, type mmc, and then click OK.
  2. On the File menu, click Add/Remove Snap-in.
  3. In Add/Remove Snap-in, click Add, and then, in Add Standalone Snap-in, double-click Group Policy Object Editor.
  4. In Select Group Policy Object, click Browse, browse to the Group Policy object (GPO) that you want to modify, click OK, and then click Finish.
  5. Click Close, and then click OK.
  6. In the console tree, click User Rights Assignment.

    Where?

    • GroupPolicyObject [ComputerName] Policy
    • Computer Configuration
    • Windows Settings
    • Security Settings
    • Local Policies
    • User Rights Assignment
  7. In the details pane, double-click Log on as a service.
  8. If the security setting has not yet been defined, select the Define these policy settings check box.
  9. Click Add User or Group, and then add the appropriate account to the list of accounts that possess the Log on as a service right.

To add the “Log on as a service” right to an account for a Group Policy object, when you are on a domain controller or on a computer that has the Windows Server 2003 Administration Tools Pack installed

  1. Open Active Directory Users and Computers.
  2. In the console tree, right-click the domain or organizational unit (OU) for which you want to edit security settings.
  3. Click Properties, and then click the Group Policy tab.
  4. In Group Policy Object Links, click the Group Policy object for the domain or OU for which you want to edit security settings, and then click Edit.
  5. In the console tree, click User Rights Assignment.

    Where?

    • GroupPolicyObject [ComputerName] Policy
    • Computer Configuration
    • Windows Settings
    • Security Settings
    • Local Policies
    • User Rights Assignment
  6. Double-click Log on as a service in the details pane.
  7. If this security setting has not yet been defined, select the Define these policy settings check box.
  8. Click Add User or Group, and then add the appropriate account to the list of accounts that possess the Log on as a service right.

To add the “Log on as a service” right to an account for only domain controllers, when you are on a domain controller

  1. Open Domain Controller Security Policy.
  2. In the console tree, click User Rights Assignment.

    Where?

    • Security Settings
    • Local Policies
    • User Rights Assignment
  3. In the details pane, double-click Log on as a service.
  4. If this security setting has not yet been defined, select the Define these policy settings check box.
  5. Click Add User or Group, and then add the appropriate account to the list of accounts that possess the Log on as a service right.

Notes

  • To open Local Security Policy, click Start, point to Control Panel, point to Administrative Tools, and then double-click Local Security Policy.
  • To open Domain Controller Security Policy, click Start, point to All Programs, point to Administrative Tools, and then click Domain Controller Security Policy.
  • When you change a security setting, that setting will take effect in the next refresh of settings.
  • The security settings are refreshed every 90 minutes on a workstation or server and every 5 minutes on a domain controller. The settings are also refreshed every 16 hours, whether or not there are any changes.
Tags: domain admin, fix, group policy, help, Howto, log in as service, policy, server 2003, service, tomcat, windows, windows server 2003, windows service

Post navigation

Howto: Create Windows Explorer Right Click Option “Open Command Prompt Here”
Howto: Change siteid of website in IIS 6.0

Leave a Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Category

  • AWS
  • games
  • Hardware
  • Malware
  • O/S
    • C
    • FreeBSD
    • Linux
      • Kali
      • nginx
      • Redhat Centos
      • Server Setup
      • Ubuntu
    • Mac
      • Howto
    • Windows
      • Active Directory
      • Applications
      • IIS
      • powershell
  • OSCP
  • Other
    • Apache
    • neo4j
    • Teamsite
    • Tomcat
    • Websphere
  • Papers
  • Pentesting
    • Discovery
  • php
  • Podcast
  • Scripts
    • bash
    • c#
    • Mongo
    • MSSQL
    • MYSQL
    • Oracle
    • perl
    • powershell
    • python
  • Security
    • Defense
      • Blue Team
      • IDS
    • Forensics
    • Hacking
      • Tools
    • Offense
  • Software
    • Jenkins-Hudson
  • Uncategorized
  • Wordpress
    • Admin
    • Plugins

Archives

  • May 2022
  • March 2022
  • December 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • February 2021
  • December 2020
  • November 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • September 2018
  • June 2018
  • May 2018
  • January 2018
  • February 2017
  • August 2015
  • March 2015
  • January 2015
  • August 2014
  • June 2014
  • March 2014
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • October 2012
  • September 2012
  • August 2012
  • July 2012
  • June 2012
  • May 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • December 2011
  • November 2011
  • October 2011
  • September 2011
  • August 2011
  • July 2011
  • June 2011
  • May 2011
  • April 2011
  • March 2011
  • February 2011
  • January 2011
  • December 2010
  • November 2010
  • October 2010
  • September 2010
  • August 2010
  • July 2010
  • June 2010

Meta

  • Log in
Brakertech LLC

Contact Us