Windows' service control loses its "Connect as" at each reboot

Question

Hi all,

So we have this painfull issue where two of our services across our infrastructure ALWAYS loses their "open session as" at reboot;

here exemple here our Azure AD Sync,
everythime the fix is to

go there
Seach for account in AD, (we've tried DOMAIN\user or user@keyman .local, same result)
reenter the password (we've triple checked it is the good one, didint changed, didnt expire, ..)
restart the service and it just go

Windows' Event Viewers shows a refused connection in a loop of events 7041->7031->7000

Message in French sry, it says :

"The ------ service was unable to log on as NT Service------ with the currently configured password due to the following error: Logon failure: the user has not been granted the requested logon type at this computer.
Service: --------
Domain and account:
This service account does not have the required user right "Log on as a service."
User Action
Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node in a cluster, check that this user right is assigned to the Cluster service account on all nodes in the cluster.
If you have already assigned this user right to the service account, and the user right appears to be removed, check with your domain administrator to find out if a Group Policy object associated with this node might be removing the right."

like in https://learn.microsoft.com/en-us/troubleshoot/sql/admin/error-1069-service-cannot-start

Any trail or idea is welcome

Thank you all,
Have a great day

Accepted Answer

So did you check if the "log on as service" right is assigned?

Answer

Hi,

Thank you for posting your query.
Kindly follow the steps provided below to resolve your issue.

If you change the ADSync service account password, the Synchronization Service will not be able start correctly until you have abandoned the encryption key and reinitialized the ADSync service account password.

Go to this link for your reference and other troubleshooting procedures https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-serviceacct-pass

-----------------------------------------------------------------------------------------------------------------

If the answer is helpful kindly click "Accept as Answer" and up vote it.

Answer

Hi, Thx for your answer

I'm Trying the solution provided but it doesnt works

"PS C:\Program Files\Microsoft Azure AD Sync\Bin> .\miiskmu.exe /a
The operation encountered an error and cannot be completed.
...
Error Code: 80131904"

I've tried it

with my AD Account with admin permissions
with local Administrator
for each
by command line
by GUI

command line straight up give mentioned error

GUI gives :

"fail: user does not have required permsission for this computer .."
its from when I saw this with my AD admin account that I enable local admin and re tried from here,
this is taken from local administrator acccount.

also search for error 80131904
https://community.spiceworks.com/topic/2094881-sql-error-0x80131904
among other

this makes no sens

I a bit lost here :/

Thx you in advance for any further ideas

Answer

Thx you in advance for any further ideas

Use gpresult to check to see if there is a policy that is resetting the logon as service right.

https://www.softwaretestinghelp.com/gpresult-command/

Enable auditing for account management and policy change (success and failure) and see if anything shows up in your security eventlog that references that account.

Windows' service control loses its "Connect as" at each reboot

3 additional answers