Vista - Service startup fails with "Access Denied" after Win2K3 domain joi

Hello all!
I had the same problem an hour ago But i`ve found how to fix it for
me.
When BFE service starts it also start a group of dependent services
(you can see them on Dependencies tab in service props) with "IPSec
policies agent" service as one of them.
In my case the problem was that "IPSec policies agent" service was set
to auto startup via domain GPO. There also were set default permissions
in GPO for this service - SYSTEM - full control, Administrators - Full
control, INTERACTIVE - read. I`ve had to turn on object auditing to
find out what user account is trying to start BFE. In Security logs
i`ve found records saying that sc (service control) is trying to start
service under LOCAL SERVICE account!!! As I later understood - BFE
could not start itself because it could not start a dependent service
IPSec Policies agent. BFE starts IPSec! so, if we look info LOGIN AS
tab in BFE service we will find out that it is starting under LOCAL
SERVICE account! And in my GPO ipsec service has permissions on it to
be started only by SYSTEM and Administratos.
As you understand, the decision was to modify GPO and to give full
control permission to LOCAL SERVICE account on IPSec Policies agent
service.
Now it works!
Hope This HELPS! And good luck!


From BELARUS


--
tortopolos
------------------------------------------------------------------------
tortopolos's Profile: http://forums.techarena.in/member.php?userid=30621
View this thread: http://forums.techarena.in/showthread.php?t=584953

http://forums.techarena.in

Thank you for sharing your experience with us.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"tortopolos" <tortopolos.2wh9fd@xxxxxx> wrote in message news:tortopolos.2wh9fd@xxxxxx

Hello all!
I had the same problem an hour ago But i`ve found how to fix it for
me.
When BFE service starts it also start a group of dependent services
(you can see them on Dependencies tab in service props) with "IPSec
policies agent" service as one of them.
In my case the problem was that "IPSec policies agent" service was set
to auto startup via domain GPO. There also were set default permissions
in GPO for this service - SYSTEM - full control, Administrators - Full
control, INTERACTIVE - read. I`ve had to turn on object auditing to
find out what user account is trying to start BFE. In Security logs
i`ve found records saying that sc (service control) is trying to start
service under LOCAL SERVICE account!!! As I later understood - BFE
could not start itself because it could not start a dependent service
IPSec Policies agent. BFE starts IPSec! so, if we look info LOGIN AS
tab in BFE service we will find out that it is starting under LOCAL
SERVICE account! And in my GPO ipsec service has permissions on it to
be started only by SYSTEM and Administratos.
As you understand, the decision was to modify GPO and to give full
control permission to LOCAL SERVICE account on IPSec Policies agent
service.
Now it works!
Hope This HELPS! And good luck!


From BELARUS


--
tortopolos
------------------------------------------------------------------------
tortopolos's Profile: http://forums.techarena.in/member.php?userid=30621
View this thread: http://forums.techarena.in/showthread.php?t=584953

http://forums.techarena.in