Service login and error: 1068: the dependency service or group failed to start but the service has no dependencies

Question

Service login and error: 1068: the dependency service or group failed to start but the service has no dependencies

Planck, Jeremy 1

As the title says, I am trying to start a windows service, but it is failing with error 1068. The weird thing about this though is that the service reports it has NO dependencies. I've seen this on multiple different services, one of which we wrote ourselves and we know it has no other dependencies, and one which is a known good service from a third party vendor.

However this only happens when using a specific login for the service. If I use the local system account as the login the services both start without any issue. The account I am using is the one I'm currently logged into, and the user permissions show that my account has permission to start a service.

Unfortunately, the services we are using need to be logged in as specific users to authenticate with third party licensing, so we are kind of stuck with this issue.

3 answers

Your answer

Answer 1

VPHAN 24,450 Independent Advisor

Hello Planck, Jeremy,

How is your issue going? To add, the presence of Event ID 3095 confirms that the Service Control Manager (SCM) or the credential subsystem is attempting to invoke the Netlogon service to authenticate the configured logon account. Because the machine operates in a workgroup, Netlogon immediately terminates upon startup, which the SCM subsequently interprets as a fatal dependency failure, resulting in Error 1068. This failure occurs when the SCM attempts a domain-level credential lookup instead of querying the local Security Account Manager (SAM) database. You must force explicit local authentication by modifying the service account format in the Services console to use the exact syntax of .\Username or ComputerName\Username, stripping away any implicit Universal Principal Name (UPN) or legacy domain structures that the OS might be trying to resolve.

Furthermore, you must inspect the raw registry configuration by navigating to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<YourServiceName>. Double-check the DependOnService multi-string value directly within the registry. The Windows Services GUI often masks group dependencies prefixed with a plus sign (like +TDI) or orphaned network provider calls left behind by deployment frameworks. For a truly independent workgroup service, this registry value must be completely empty. Finally, launch secpol.msc and navigate to Local Policies, User Rights Assignment, and ensure your specific local account is explicitly granted the SeServiceLogonRight (Log on as a service) privilege. Relying on local group inheritance for this specific right can fail silently in isolated workgroup environments during the SCM credential broker phase, causing the Netlogon fallback loop you are experiencing.

Hope this answer brought you some useful information. If it has, please consider accepting the answer so that other people sharing the same issue would benefit too. Thank you :)

VP

Planck, Jeremy 1 Reputation point

2026-02-23T12:44:43.9133333+00:00

Well I haven't resolved it yet but I'm still trying to understand how some of these features you're describing work. This is a work computer and most of the user login stuff is handled by our IT team so I don't deal with it much.

I suspect since this is a business computer it actually SHOULD be authenticating on a "domain-level credential lookup" or "the local Security Account Manager (SAM) database". As you said it does "work" when I login with my own account, but on other computers we don't have to do that.

Where would I look to find out why this specific computer doesn't accept, for example, the email address as the username while other computers we have done that successfully? Seems like there is a missing group policy or something.

Edit/update: after looking up the Active Directory domain account and Group Managed Service Account definitions, I think we are using both actually. The account I'm "currently logged into" was my own work account which I think is the active directory one, whereas we eventually plan to use a service account which is what we use to authenticate to the third-party licensing. However neither of these accounts actually work.
VPHAN 24,450 Reputation points Independent Advisor

2026-02-23T13:15:50.9233333+00:00

**Planck, Jeremy,
**Thanks for the update. You confirmed this is a business environment utilizing Active Directory and Group Managed Service Accounts, my previous advice regarding local workgroup isolation no longer applies. The Event ID 3095 you are seeing is the absolute root cause here. It states the machine currently believes it is in a workgroup, meaning the secure channel to your Active Directory Domain Controller is either broken, disabled, or was never properly established. Because the OS thinks it is disconnected from a domain network, the Netlogon service immediately terminates. When the Service Control Manager attempts to authenticate your domain user account or retrieve the gMSA password, it strictly requires Netlogon to broker that request to the Domain Controller. Since Netlogon is halted by the workgroup state, the authentication dependency fails immediately, which the system surfaces as Error 1068.

To resolve this, the computer must re-establish its domain trust. You will need to coordinate with your IT team to open sysdm.cpl and verify the network identification under the Computer Name tab. If it shows a workgroup, the machine must be formally joined to your corporate domain. If it already indicates it is on the domain, the trust relationship is corrupted, requiring the machine to be removed to a workgroup, rebooted, and rejoined to the domain. Once the domain trust is healthy, Netlogon will start automatically. Furthermore, since you plan to transition to a Group Managed Service Account, having the machine on the domain is only the first requirement. The specific computer object must also be granted permission in Active Directory to retrieve the gMSA password. After the domain trust is fixed, an administrator must open an elevated PowerShell session on that specific machine and run Install-AdServiceAccount -Identity "YourgMSAName" to cache the credentials locally. You can confirm the host is properly authorized by executing Test-AdServiceAccount -Identity "YourgMSAName", which must return a value of True. Once the secure channel is restored and the gMSA is installed, configuring the service logon tab with your email address or the gMSA will succeed.

VP

Answer 2

Hello Planck, Jeremy,

Error 1068 designates a dependency failure, but because your issue strictly correlates with a specific user account context and bypasses Local System, the Service Control Manager is failing to initialize the underlying security and credential subsystems required to build that specific user session. Your description currently lacks the necessary environmental details to pinpoint the exact authentication failure. You need to clarify whether the account in question is a standard local user, an Active Directory domain account, or a Group Managed Service Account. Most importantly, you must inspect the System Event Log via eventvwr.msc immediately after the failed startup attempt. Filter the log for Event ID 7001 originating from the Service Control Manager, as Windows explicitly records the exact name of the failed implicit dependency inside this event payload.

As a best-practice isolation step while you retrieve those logs, you must verify that the Remote Procedure Call (RpcSs) and Secondary Logon (seclogon) services are running, as the operating system requires these to broker non-System credentials during service initialization. If the configured account is a domain identity, the Netlogon, Workstation (LanmanWorkstation), and CNG Key Isolation (KeyIso) services become implicit mandatory dependencies for Kerberos token generation and must also be in a running state. Please provide the exact dependent service named in Event ID 7001 so the broken authentication chain can be definitively repaired.

Hope you found something useful in the answer. If it helped you get more insight into the issue, please consider accepting it. Thank you and have a nice day!

VP

Answer 3

The error 1068, which states "the dependency service or group failed to start," typically indicates that a service cannot start due to a failure in one of its dependencies. However, in your case, since the services report having no dependencies and the issue only occurs when using a specific login, it suggests that the problem may be related to the account permissions or configuration for that user.

Here are a few steps you can take to troubleshoot this issue:

Check User Permissions: Ensure that the specific user account has the necessary permissions to start the service. The account may need to be part of the local Administrators group or have specific rights assigned.
Service Logon Configuration: Verify that the service's logon information is correctly configured. You can do this by accessing the service properties in the Services management console and checking the "Log On" tab. Ensure that the password for the account is correct and that it has not expired.
Event Viewer Logs: Check the Windows Event Viewer for any additional error messages that might provide more context about why the service is failing to start. Look specifically under the System and Application logs for any related errors.
Dependency Services: Even if the service itself has no dependencies, it might rely on other system services that could be failing. Check the status of related services that might not be explicitly listed as dependencies.
Group Policy Settings: If the machine is part of a domain, group policy settings might be affecting the service's ability to start under a specific user account. Review any relevant policies that could restrict service logon.
Testing with Other Accounts: If possible, test the service with other user accounts to determine if the issue is isolated to one specific account or if it affects multiple accounts.

By following these steps, you should be able to identify the root cause of the issue and resolve the error 1068 when using the specific login for the service.

References:

Planck, Jeremy 1 Reputation point

2026-02-20T16:21:25.8733333+00:00

Event viewer shows this whenever the service fails to start up:

Error 2/20/2026 11:18:34 AM NETLOGON 3095 None

This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.

Share via

Service login and error: 1068: the dependency service or group failed to start but the service has no dependencies

3 answers

Your answer