Windows vista firewall problem in a 2003 server domain
Nuno Pratas
I cannot start windows vista firewall in a windows 2003 domain. I've check
Group Policies and everything is ok.
I get several errors when i trie to start windows firewall service:
"Error 1297: a privilege that the service requires to function properly does
not exist in the service account configuration."
Does anyone have this problem?
--
Nuno Pratas
--
Nuno Pratas
Rich Harris
Windows Firewall was turned on and configured during the installation and
initial setup. But once I join a Vista pc to the 2003 domain the firewall
gets turned off and the same type of errors about account priveleges.
I'm in a development scenario where the available domain has not been fully
(or maybe properly) set-up for Vista PCs. I'm using virtual PCs for
development and testing. Vista based PCs are fine stand-alone but oned
joined to a production 2003 domain this firewall symptom and some other
connectivity issues show up immediately.
I believe the Domain Security policies corrupt the Vista computers own
profiles. And I'm sure that there are problems in more places than just the
Firewall not being able to be turned on.
I just hit this so I have no solution yet. Does anyone have guidance on
minimally setting up a 2003 domain to allow it to gracefully host Vista PCs?
Nuno did you ever get anywhere with this?
--
Rich Harris
Senior Systems and Programming Analyst
Santa Barbara county APCD
Nuno Pratas
hello,
i have a windows 2003 domain and i resolved the problem, its all about the
local system account privileges. In windows vista the local system account
does not have the same privileges of windows xp.
This is how i resolved it. the article is for windows 2000 domain. The
policy that you have to change is slightly different in windows 2003.Hope it
helps.
Windows Firewall function fails after joining Vista clients into Windows
2000 domains
You may experience the issue about no SeIncreaseQuotaPrivilege privilege
under “Local Service” account after joining Vista to Windows 2000 domain.
This could cause several services (Telnet, Firewall etc) not being able to
start. The typical symptom is described as follows:
When joining Vista client to Windows 2000 domain, after Vista client receive
group policy and reboot. it will have some problem to manage the firewall
settings.
1. Windows Firewall service (mpssvc) cannot be started with error message
"1279, a privilege that the service requires to function properly does not
exist in the service account configuration"
2. Cannot open "Windows Firewall with Advance configuration Security", the
MMC snap-in will return error 0x6D9
It is because SeIncreaseQuotaPrivilege for “Local Service” account is
missing. In Windows Vista, SeIncreaseQuotaPrivilege privilege is required to
start Firewall service and the account to start Windows Firewall service is
"Local Service", (this is different to the Local System). In Windows 2000
Domain environment, the default confgiruation for "Increase Quota" is only
assigned to Administrators. Thus after Vista get the domain policy, the Local
service's SeIncreaseQuotaPrivilege will be revoked.
The solution is to give SeIncreaseQuotaPrivilege to Local Service.
To do that, open group policy editor and locate Computer Configuration ->
Windows Settings -> Security Settings -> Local Policies -> User Rights
Assignment
On Windows 2000 Group policy Editor, Find "Increase Quota" and add "Local
Service" to the list
Other information
Windows 2000 AD, the default confgiruation for "Increase Quota" is assigned
to Administrators. From Windows 2003, it will change the policy name to
"Adjust Memory quotas for a process” and be given to Administrators. Local
Service, Network Services and IWAM_[machinename] by default.
Filed under: Hot Issue, Windows Vista
Nuno Pratas
MCSE, MCSA