The Terminal Services service may be unable to start on a server that is running Windows Server 2008

Article translations Article translations
Article ID: 946399 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

On a server that is running Windows Server 2008, the Terminal Services service may be unable to start.

This behavior usually occurs after you upgrade an earlier version of the Windows operating system to Windows Server 2008. For example, this behavior may occur after you upgrade Windows Server 2003 to Windows Server 2008.

When this behavior occurs, events that resemble the following events are logged in the System log:

Log Name: System
Source: Microsoft-Windows-DistributedCOM
Date: DateTime
Event ID: 10005
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: ComputerName
Description: DCOM got error "1297" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}

Log Name: System
Source: LSM
Date: DateTime
Event ID: 1048
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: ComputerName
Description: Terminal Service start failed. The relevant status code was %1. A privilege that the service requires to function properly does not exist in the service account configuration.

You may use the Services.msc Microsoft Management Console (MMC) snap-in and the Secpol.msc MMC snap-in to view the service configuration and the account configuration.

CAUSE

This behavior occurs because the NETWORK SERVICE account is not granted the following user rights:
  • Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)
  • Generate security audits (SeAuditPrivilege)
  • Replace a process level token (SeAssignPrimaryTokenPrivilege)
Note Any service that is configured to start by using the NETWORK SERVICE account may experience similar symptoms.

RESOLUTION

To resolve this behavior, grant the NETWORK SERVICE account the user rights that are described in the "Cause" section.

Note You can use the Secpol.msc Microsoft Management Console (MMC) snap-in to view the user rights that are in effect on the local computer.

If the server is not a domain controller, use Method 1 or Method 2. If the server is a domain controller, use Method 3 or Method 4.

Method 1: Grant the user rights in the Local Security Policy settings

To do this, follow these steps:
  1. Click Start, click Run, type Secpol.msc, and then click OK.
  2. In the Local Security Policy console, expand Local Policies, and then click User Rights Assignment.
  3. Double-click the Adjust memory quotas for a process user right.
  4. In the Properties dialog box, click Add User or Group.
  5. In the Select Users, Computers, or Groups dialog box, type NETWORK SERVICE under Enter the object names to select, and then click OK.
  6. In the Properties dialog box, click OK.
  7. Repeat step 3 through step 6 for the Generate security audits user right and for the Replace a process level token user right.
  8. Click Start, click Run, type Gpupdate, and then click OK.

Method 2: Grant the user rights in a Group Policy object (GPO) that is applied to member servers

To do this, follow these steps:
  1. Click Start, click Run, type Gpmc.msc, and then click OK.
  2. In the Group Policy Management console, expand Forest: DomainName, expand Domains, expand DomainName, expand Group Policy Objects, right-click the GPO that is applied to member servers, and then click Edit.
  3. In the Group Policy Management Editor console, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.
  4. Double-click the Adjust memory quotas for a process user right.
  5. In the Properties dialog box, click Add User or Group.
  6. In the Add User or Group dialog box, type NETWORK SERVICE under User and group names, and then click OK.
  7. In the Properties dialog box, click OK.
  8. Repeat step 4 through step 7 to add the NETWORK SERVICE account for the Generate security audits user right and for the Replace a process level token user right.
  9. Click Start, click Run, type Gpupdate, and then click OK.

Method 3: Grant user rights in the Group Policy settings

To do this, follow these steps:
  1. Click Start, click Run, type Gpmc.msc, and then click OK.
  2. In the Group Policy Management console, expand Forest: DomainName, expand Domains, expand DomainName, expand Group Policy Objects, right-click Default Domain Controllers Policy, and then click Edit.
  3. In the Group Policy Management Editor console, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.
  4. Double-click the Adjust memory quotas for a process user right.
  5. In the Properties dialog box, click Add User or Group.
  6. In the Add User or Group dialog box, type NETWORK SERVICE under User and group names, and then click OK.
  7. In the Properties dialog box, click OK.
  8. Repeat step 4 through step 7 to add the NETWORK SERVICE account for the Generate security audits user right and for the Replace a process level token user right.
  9. Click Start, click Run, type Gpupdate, and then click OK.

Method 4: Update the GptTmpl.inf file

To do this, follow these steps:
  1. In a text editor, such as Notepad, open the GptTmpl.inf file.

    Note The GptTmpl.inf file is in the following folder:
    %systemroot%\SYSVOL\domain\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit
  2. Update the user rights to the following default setting:
    SeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544
    SeAuditPrivilege = *S-1-5-19,*S-1-5-20
    SeAssignPrimaryTokenPrivilege =*S-1-5-19,*S-1-5-20
  3. Click Start, click Run, type Gpupdate, and then click OK.

STATUS

This behavior is by design.

MORE INFORMATION

By default in Windows 2000 Server and in Windows Server 2003, the Terminal Services service starts by using the Local System account. In Windows Server 2008, the Terminal Services service starts by using the NETWORK SERVICE account. This is for improved security. If you do not grant the NETWORK SERVICE account the user rights that are described in the "Cause" section, the Terminal Services service cannot start.

If you remove these user rights from the NETWORK SERVICE account in the default domain controllers policy, the Terminal Services service cannot start on domain controllers that are running Windows Server 2008. However, the Terminal Services service can start on domain controllers that are running Windows 2000 Server or Windows Server 2003.

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
245207 How to determine NTRIGHTS names and meanings
243330 Well-known security identifiers in Windows operating systems

Properties

Article ID: 946399 - Last Review: February 19, 2008 - Revision: 2.0
APPLIES TO
  • Windows Server 2008 Standard
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Datacenter
Keywords: 
kbtshoot kbprb kbtermserv kbexpertiseadvanced KB946399

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com