Article ID: 946399 - Last Review: February 19, 2008 - Revision: 2.0

The Terminal Services service may be unable to start on a server that is running Windows Server 2008

View products that this article applies to.

On This Page

Expand all | Collapse all

SYMPTOMS

On a server that is running Windows Server 2008, the Terminal Services service may be unable to start.

This behavior usually occurs after you upgrade an earlier version of the Windows operating system to Windows Server 2008. For example, this behavior may occur after you upgrade Windows Server 2003 to Windows Server 2008.

When this behavior occurs, events that resemble the following events are logged in the System log:

Log Name: System
Source: Microsoft-Windows-DistributedCOM
Date: DateTime
Event ID: 10005
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: ComputerName
Description: DCOM got error "1297" attempting to start the service TermService with arguments "" in order to run the server: {F9A874B6-F8A8-4D73-B5A8-AB610816828B}

Log Name: System
Source: LSM
Date: DateTime
Event ID: 1048
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: ComputerName
Description: Terminal Service start failed. The relevant status code was %1. A privilege that the service requires to function properly does not exist in the service account configuration.

You may use the Services.msc Microsoft Management Console (MMC) snap-in and the Secpol.msc MMC snap-in to view the service configuration and the account configuration.

Back to the top

CAUSE

This behavior occurs because the NETWORK SERVICE account is not granted the following user rights:
  • Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)
  • Generate security audits (SeAuditPrivilege)
  • Replace a process level token (SeAssignPrimaryTokenPrivilege)
Note Any service that is configured to start by using the NETWORK SERVICE account may experience similar symptoms.
Back to the top

RESOLUTION

To resolve this behavior, grant the NETWORK SERVICE account the user rights that are described in the "Cause" section.

Note You can use the Secpol.msc Microsoft Management Console (MMC) snap-in to view the user rights that are in effect on the local computer.

If the server is not a domain controller, use Method 1 or Method 2. If the server is a domain controller, use Method 3 or Method 4.
Back to the top

Method 1: Grant the user rights in the Local Security Policy settings

To do this, follow these steps:
  1. Click Start, click Run, type Secpol.msc, and then click OK.
  2. In the Local Security Policy console, expand Local Policies, and then click User Rights Assignment.
  3. Double-click the Adjust memory quotas for a process user right.
  4. In the Properties dialog box, click Add User or Group.
  5. In the Select Users, Computers, or Groups dialog box, type NETWORK SERVICE under Enter the object names to select, and then click OK.
  6. In the Properties dialog box, click OK.
  7. Repeat step 3 through step 6 for the Generate security audits user right and for the Replace a process level token user right.
  8. Click Start, click Run, type Gpupdate, and then click OK.
Back to the top

Method 2: Grant the user rights in a Group Policy object (GPO) that is applied to member servers

To do this, follow these steps:
  1. Click Start, click Run, type Gpmc.msc, and then click OK.
  2. In the Group Policy Management console, expand Forest: DomainName, expand Domains, expand DomainName, expand Group Policy Objects, right-click the GPO that is applied to member servers, and then click Edit.
  3. In the Group Policy Management Editor console, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.
  4. Double-click the Adjust memory quotas for a process user right.
  5. In the Properties dialog box, click Add User or Group.
  6. In the Add User or Group dialog box, type NETWORK SERVICE under User and group names, and then click OK.
  7. In the Properties dialog box, click OK.
  8. Repeat step 4 through step 7 to add the NETWORK SERVICE account for the Generate security audits user right and for the Replace a process level token user right.
  9. Click Start, click Run, type Gpupdate, and then click OK.
Back to the top

Method 3: Grant user rights in the Group Policy settings

To do this, follow these steps:
  1. Click Start, click Run, type Gpmc.msc, and then click OK.
  2. In the Group Policy Management console, expand Forest: DomainName, expand Domains, expand DomainName, expand Group Policy Objects, right-click Default Domain Controllers Policy, and then click Edit.
  3. In the Group Policy Management Editor console, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then click User Rights Assignment.
  4. Double-click the Adjust memory quotas for a process user right.
  5. In the Properties dialog box, click Add User or Group.
  6. In the Add User or Group dialog box, type NETWORK SERVICE under User and group names, and then click OK.
  7. In the Properties dialog box, click OK.
  8. Repeat step 4 through step 7 to add the NETWORK SERVICE account for the Generate security audits user right and for the Replace a process level token user right.
  9. Click Start, click Run, type Gpupdate, and then click OK.
Back to the top

Method 4: Update the GptTmpl.inf file

To do this, follow these steps:
  1. In a text editor, such as Notepad, open the GptTmpl.inf file.

    Note The GptTmpl.inf file is in the following folder:
    %systemroot%\SYSVOL\domain\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit
  2. Update the user rights to the following default setting:
    SeIncreaseQuotaPrivilege = *S-1-5-19,*S-1-5-20,*S-1-5-32-544
    SeAuditPrivilege = *S-1-5-19,*S-1-5-20
    SeAssignPrimaryTokenPrivilege =*S-1-5-19,*S-1-5-20
  3. Click Start, click Run, type Gpupdate, and then click OK.
Back to the top

STATUS

This behavior is by design.
Back to the top

MORE INFORMATION

By default in Windows 2000 Server and in Windows Server 2003, the Terminal Services service starts by using the Local System account. In Windows Server 2008, the Terminal Services service starts by using the NETWORK SERVICE account. This is for improved security. If you do not grant the NETWORK SERVICE account the user rights that are described in the "Cause" section, the Terminal Services service cannot start.

If you remove these user rights from the NETWORK SERVICE account in the default domain controllers policy, the Terminal Services service cannot start on domain controllers that are running Windows Server 2008. However, the Terminal Services service can start on domain controllers that are running Windows 2000 Server or Windows Server 2003.

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
245207  (http://support.microsoft.com/kb/245207/ ) How to determine NTRIGHTS names and meanings
243330  (http://support.microsoft.com/kb/243330/ ) Well-known security identifiers in Windows operating systems
Back to the top
APPLIES TO
  • Windows Server 2008 Standard
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Datacenter
Back to the top
Keywords: 
kbtshoot kbprb kbtermserv kbexpertiseadvanced KB946399
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations

 

Related Support Centers