Some services do not start, and you receive an error message after you join a Windows Vista-based computer to a Windows 2000-based domain: "1279, a privilege that the service requires to function properly does not exist"

Article translations Article translations
Article ID: 940668 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

After you join a Windows Vista-based computer to a Microsoft Windows 2000-based domain, some services cannot start in Windows Vista. These services may include the following services:
  • The Windows Firewall service
  • The Telephony service
  • The DHCP Client service
Additionally, you may receive the following error message:
1279, a privilege that the service requires to function properly does not exist in the service account configuration
When you try to open the "Windows Firewall with Advanced Security" Microsoft Management Console (MMC) snap-in, you may receive the following error code:
0x6D9

CAUSE

This problem occurs because the domain policies overwrite the following policies in Windows Vista and then revoke the default settings of these policies:
  • The "Adjust Memory quotas for a process" policy
  • The "Replace a process Level token" policy
Note In the Group Policy Object Editor, these two policies are in the following location:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

RESOLUTION

To resolve this problem, locate the following domain-based policies or organizational unit-based policies:
  • "Adjust Memory quotas for a process"
  • "Replace a process Level token"
Then, add the Local Service account and the Network Service account to these policies. To do this, follow these steps to modify the settings for the Group Policy object (GPO) of the default domain policy.

Note Follow these steps on a domain controller.
  1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Right-click the Windows 2000-based domain, and then click Properties.
  3. Click the Group Policy tab.
  4. Click Default Domain Policy, and then click Edit.
  5. Expand Computer Configuration.
  6. Expand Windows Settings.
  7. Expand Security Settings.
  8. Expand Local Policies.
  9. Double-click User Rights Assignment.
  10. In the details pane, right-click Adjust Memory quotas for a process, and then click Properties.
  11. Click Add User or Group.
  12. In the Enter the object names to select box, type LOCAL SERVICE; NETWORK SERVICE, and then click OK.
  13. Repeat step 10 through step 12 to add both the Local Service account and the Network Service account to the "Replace a process Level token" policy.

WORKAROUND

To work around this problem, follow these steps:
  1. Restore the default local Group Policy for Windows Vista. To do this, follow these steps:
    1. Download the Windows Vista Security Guide.msi file. The following file is available for download from the Microsoft Download Center:
      Collapse this imageExpand this image
      Download
      Download the Windows Vista Security Guide.msi package now.
    2. On the Windows Vista-based computer, install the Windows Vista Security Guide.msi file in the default installation location.
    3. Open the Windows Vista Security Guide\GPOAccelerator Tool\Security Group Policy Objects folder. Double-click the command-line here tool.
    4. At the command prompt, type the following command, and then press ENTER:
      cscript GPOAccelerator.wsf /Restore
    5. Restart the computer.
  2. Create a new organizational unit in the domain, and then configure the new organizational unit to block policy inheritance.
  3. Move the account from the Windows Vista-based computer to the organizational unit.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

By default, the "Adjust Memory quotas for a process" policy has the following security accounts in Windows Vista:
  • Administrators
  • Local Service
  • Network Service
By default, the "Replace a process Level token" policy has the following security accounts in Windows Vista:
  • Local Service
  • Network Service
In Windows Vista, some services are started by using the Local Service account or by using the Network Service account. Therefore, you should use the Local Service account and the Network Service account to start these services.

Properties

Article ID: 940668 - Last Review: September 12, 2007 - Revision: 2.1
APPLIES TO
  • Windows Vista Business
  • Windows Vista Enterprise
  • Windows Vista Ultimate
  • Windows Vista Business 64-bit Edition
  • Windows Vista Enterprise 64-bit Edition
  • Windows Vista Ultimate 64-bit Edition
Keywords: 
kbtshoot kbexpertiseinter kbprb KB940668

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com