Customer reported that the Altiris Service account stopped working on his system, meaning the Altiris Services started to fail to run due to logging failures with his currently in-use service account.
After looking at the System Event logs, we found the following entry:
Log Name: System
Source: Service Control Manager
Date: 2/4/2016 9:14:45 AM
Event ID: 7041
Task Category: None
The AeXSvc service was unable to log on as MyDomain\svc_smp with the currently configured password due to the following error:
Logon failure: the user has not been granted the requested logon type at this computer.
Domain and account: MyDomain\svc_smp
This service account does not have the required user right "Log on as a service."
Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user right is assigned to the Cluster service account on all nodes in the cluster.
If you have already assigned this user right to the service account, and the user right appears to be removed, check with your domain administrator to find out if a Group Policy object associated with this node might be removing the right.
We expect that the Service account (which in most cases is the AppID account) is part of the "Log on as a service" security setting. In many cases the following ones should also be part of this security setting:
Classic .NET AppPool DefaultAppPool The AppID Account or Service Account Network Service NT Services\All Services SMP Server AppPool Symantec Agent AppPool Symantec Task Server AppPool
In some instances GPOs can remove this type of permissions and end users may not be aware of it.
After we looked at the System Event log we were able to see the reason: This service account does not have the required user right "Log on as a service."
The message itself says why. The account used for our services needs to be part of the "Log on as a service" security permission for the Local Security Settings. Customer was not sure why this started happening but I explained him that this is a Windows requirement and it is Windows itself asking for this right for his service account.
We added his service account to this "Log on as a service" security permission: 1. From the Run command, type secpol.msc. 2. From the window that opens, go to Security Settings>Local Policies>User Right Assignment 3. On the main frame, double-click on "Log on as a service" and under the Local Security Setting tab, add the desired service account. 4. Save changes
Subscribing will provide email updates when this Article is updated. Login is required.