Microsoft KB Archive/940668

= Some services do not start, and you receive an error message after you join a Windows Vista-based computer to a Windows 2000-based domain: &quot;1279, a privilege that the service requires to function properly does not exist&quot; =

Article ID: 940668

Article Last Modified on 9/12/2007

-

APPLIES TO


 * Windows Vista Business
 * Windows Vista Enterprise
 * Windows Vista Ultimate
 * Windows Vista Business 64-bit Edition
 * Windows Vista Enterprise 64-bit Edition
 * Windows Vista Ultimate 64-bit Edition

-



SYMPTOMS
After you join a Windows Vista-based computer to a Microsoft Windows 2000-based domain, some services cannot start in Windows Vista. These services may include the following services:
 * The Windows Firewall service
 * The Telephony service
 * The DHCP Client service

Additionally, you may receive the following error message:

1279, a privilege that the service requires to function properly does not exist in the service account configuration

When you try to open the &quot;Windows Firewall with Advanced Security&quot; Microsoft Management Console (MMC) snap-in, you may receive the following error code:

0x6D9



CAUSE
This problem occurs because the domain policies overwrite the following policies in Windows Vista and then revoke the default settings of these policies:
 * The &quot;Adjust Memory quotas for a process&quot; policy
 * The &quot;Replace a process Level token&quot; policy

Note In the Group Policy Object Editor, these two policies are in the following location:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment



RESOLUTION
To resolve this problem, locate the following domain-based policies or organizational unit-based policies:
 * &quot;Adjust Memory quotas for a process&quot;
 * &quot;Replace a process Level token&quot;

Then, add the Local Service account and the Network Service account to these policies. To do this, follow these steps to modify the settings for the Group Policy object (GPO) of the default domain policy.

Note Follow these steps on a domain controller.
 * 1) Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
 * 2) Right-click the Windows 2000-based domain, and then click Properties.
 * 3) Click the Group Policy tab.
 * 4) Click Default Domain Policy, and then click Edit.
 * 5) Expand Computer Configuration.
 * 6) Expand Windows Settings.
 * 7) Expand Security Settings.
 * 8) Expand Local Policies.
 * 9) Double-click User Rights Assignment.
 * 10) In the details pane, right-click Adjust Memory quotas for a process, and then click Properties.
 * 11) Click Add User or Group.
 * 12) In the Enter the object names to select box, type LOCAL SERVICE; NETWORK SERVICE, and then click OK.
 * 13) Repeat step 10 through step 12 to add both the Local Service account and the Network Service account to the &quot;Replace a process Level token&quot; policy.



WORKAROUND
To work around this problem, follow these steps:  Restore the default local Group Policy for Windows Vista. To do this, follow these steps:  Download the Windows Vista Security Guide.msi file. The following file is available for download from the Microsoft Download Center:

Download the Windows Vista Security Guide.msi package now.

 On the Windows Vista-based computer, install the Windows Vista Security Guide.msi file in the default installation location. Open the Windows Vista Security Guide\GPOAccelerator Tool\Security Group Policy Objects folder. Double-click the command-line here tool. At the command prompt, type the following command, and then press ENTER:

cscript GPOAccelerator.wsf /Restore

 Restart the computer.</li></ol> </li> Create a new organizational unit in the domain, and then configure the new organizational unit to block policy inheritance.</li> Move the account from the Windows Vista-based computer to the organizational unit.</li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

<div class="moreinformation_section">

MORE INFORMATION
By default, the &quot;Adjust Memory quotas for a process&quot; policy has the following security accounts in Windows Vista:
 * Administrators
 * Local Service
 * Network Service

By default, the &quot;Replace a process Level token&quot; policy has the following security accounts in Windows Vista:
 * Local Service
 * Network Service

In Windows Vista, some services are started by using the Local Service account or by using the Network Service account. Therefore, you should use the Local Service account and the Network Service account to start these services.

Additional query words: OU

Keywords: kbtshoot kbprb kbexpertiseinter KB940668

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.