On-Prem Service Account Sign On blocked with "Log on as a service." but has Local Permission

Question

We are running into issues with a service that is attempting to log in when the machine restarts and fails with the error: "This service account does not have the required user right "Log on as a service."."

Reviewing the security policy for the local machine shows that the account does indeed have the logon as service permissions assigned.

Once the machine is fully rebooted starting the service again prompts for the service account password and authenticates successfully as expected.

Digging into the event viewer uncovered the following errors on a recent failure:

1. NETLOGON error 5719 @ 2/5/2025 9:25:02 AM This computer was not able to set up a secure session with a domain controller in domain [DOMAIN] due to the following: An internal error occurred.
2. Error 7000 @ 2/5/2025 9:27:02 AM The Okta AD Agent service failed to start due to the following error: The service did not start due to a logon failure.
3. Error 7041 @ 2/5/2025 9:27:02 AM The Okta Active Directory Service service was unable to log on as DOMAIN\ServiceAccount with the currently configured password due to the following error: Logon failure: the user has not been granted the requested logon type at this computer.

Suspecting that it might be something GPO related and I ran the following commands both of which returned the user does not have RSoP data.:

gpresult /r /scope user /user [serviceaccount]

gpresult /h gpo_report.html /user [serviceaccount]

Would I be correct in assuming that the first NETLOGON error is impacting the service account from authenticating regardless of the permissions assigned to it on the machine?

The machine in question is part of the DC tree and is running Microsoft Windows Server 2025 Datacenter.

Answer 1

Hello Karl Richey,

Thank you for posting in Microsoft Community forum.

 The GPO setting "Log on as a service" is a computer configuration, if the machine is Domain Controller, you can check if the machine has the GPO setting by editing Default Domain Controller Policy.

If the machine is domain member server, you can check if the machine has the GPO setting by export the group policy result.

For checking Computer Configuration within gpresult, we can follow steps below.

Logon this machine using administrator account.

Open CMD (run as Administrator).

Type gpresult /h C:\gpo.html and click Enter.

Open gpo.html and check "Log on as a service" gpo setting under "Computer Details".

I hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,

Daisy Zhou

Answer 2

Hey really appreciate the reply, I was able to export the gpo policy and verified that the service account has both log on as a batch job and log on as a service under:

Computer Details > Settings > Policies > Windows Settings > Security Settings > Local Policies/User Rights Assignment > log on as a batch job and log on as a service.

any other ideas you have would be a huge help!

Thanks

Answer 3

Hello

Greetings!

Please check if there is "Deny log on as a batch job" and /or "Deny log on as a service" applied on this machine.

If no, the priority of the denied is greater than the priority of the allow.

Please note:

Windows Client for IT Pros and Windows Server forums are moving to Microsoft Q&A

We’re transitioning to Microsoft Q&A for a more streamlined experience. Starting 21 February, new questions can only be posted on Microsoft Q&A. Existing discussions will remain accessible here. 

From the 26 February customers looking for support on Answers will be automatically redirected to Microsoft Q&A.

Best Regards,
Daisy Zhou