Some services do not start, and you receive an error message after you join a Windows Vista-based computer to a Windows 2000-based domain: "1279, a privilege that the service requires to function properly does not exist"
After you join a Windows Vista-based computer to a Microsoft Windows 2000-based domain, some services cannot start in Windows Vista. These services may include the following services:
The Windows Firewall service
The Telephony service
The DHCP Client service
Additionally, you may receive the following error message:
1279, a privilege that the service requires to function properly does not exist in the service account configuration
When you try to open the "Windows Firewall with Advanced Security" Microsoft Management Console (MMC) snap-in, you may receive the following error code:
This problem occurs because the domain policies overwrite the following policies in Windows Vista and then revoke the default settings of these policies:
The "Adjust Memory quotas for a process" policy
The "Replace a process Level token" policy
Note In the Group Policy Object Editor, these two policies are in the following location:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
To resolve this problem, locate the following domain-based policies or organizational unit-based policies:
"Adjust Memory quotas for a process"
"Replace a process Level token"
Then, add the Local Service account and the Network Service account to these policies. To do this, follow these steps to modify the settings for the Group Policy object (GPO) of the default domain policy.
Note Follow these steps on a domain controller.
Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
Right-click the Windows 2000-based domain, and then click Properties.
Click the Group Policy tab.
Click Default Domain Policy, and then click Edit.
Expand Computer Configuration.
Expand Windows Settings.
Expand Security Settings.
Expand Local Policies.
Double-click User Rights Assignment.
In the details pane, right-click Adjust Memory quotas for a process, and then click Properties.
Click Add User or Group.
In the Enter the object names to select box, type LOCAL SERVICE; NETWORK SERVICE, and then click OK.
Repeat step 10 through step 12 to add both the Local Service account and the Network Service account to the "Replace a process Level token" policy.
To work around this problem, follow these steps:
Restore the default local Group Policy for Windows Vista. To do this, follow these steps:
On the Windows Vista-based computer, install the Windows Vista Security Guide.msi file in the default installation location.
Open the Windows Vista Security Guide\GPOAccelerator Tool\Security Group Policy Objectsfolder. Double-click the command-line here tool.
At the command prompt, type the following command, and then press ENTER:
cscript GPOAccelerator.wsf /Restore
Restart the computer.
Create a new organizational unit in the domain, and then configure the new organizational unit to block policy inheritance.
Move the account from the Windows Vista-based computer to the organizational unit.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
By default, the "Adjust Memory quotas for a process" policy has the following security accounts in Windows Vista:
By default, the "Replace a process Level token" policy has the following security accounts in Windows Vista:
In Windows Vista, some services are started by using the Local Service account or by using the Network Service account.Therefore, you should use the Local Service account and the Network Service account to start these services.