This may or may not be related to our Group Policies, but are not resolved by removing the group policies applied. When we have upgraded our servers from 2003 to 2008, or even taken a fresh install of 2008 (from template with no policies applied (that I know of), several services do not start. (similar to srshowers post in http://social.technet.microsoft.com/Forums/en-US/itprovistanetworking/thread/5744a4b6-31a2-4f2e-b27e-e99627be5aba ) I have largely resolved this by editing the registry per the post by Sjuu in the same thread. (plus giving local service rights to w32tm). However, I am unable to get DPS to run. I would like assistance in getting it working. (I have given the local service account rights to the hive under hklm\system\ccs\services\dps in addition to dps\enum, dps\parameters; dps\parameters). No dice. Additionally, I would like to create a 2008 GPO that adds all the permissions required for these services to run. Do I have to use local service & network service instead of NT Service\mpssvc ? Thanks, if I have mis-posted - please direct me to the correct forum. -Alex

Hi Alex, This thread might be helpful: http://social.technet.microsoft.com/Forums/en/windowsserver2008r2general/thread/ae370edf-716b-4208-86d6-aba6c44f658b If the problem continues, please let us know the following information: 1. Is this Windows Server 2008 computer a member server or domain controller? 2. Please make sure the system is up to date with the latest security patches and service pack. 3. What error message do you receive when trying to start the DPS service? Is there any relevant error in event log? Regards, Bruce Forum Support Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Thanks for the link Bruce, The server in question is in the default computers container, and has no GPO assigned with security policies. (The link is from a user who states the problem was resolved by removing Group Policy Objects from the OU with his/her machine.) That user has the same question as I do about the local accouts & GPObjects. I have made the following modifications to my registry: HKLM\SYSTEM\CurrentControlSet\Services\VSS\Diag Network Service full control HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip "Local service" Full, Read (add this permission) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE "NT Service\BFE" Full, Read (add this permission)HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DPS "NT Service\Trustedinstaller" Full, Read (add this permission) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc "NT Service\NlaSvc" Full, Read (add this permission) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch "NT Service\MpsSvc" Query, Set Value (add this permission) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy "NT Service\MpsSvc" Full, Read (add this permission) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Defaults\FirewallPolicy "NT Service\MpsSvc" Full, Read (add this permission) hklm\system\ccs\services\w32time : Gave local service and network service full control -> at this: almost automatic services start. Just not DPS. This particular instance is a root level DC, but it has also occured with some child member servers. --> Attendum: There is not really any information about why the Diagnostic Policy Service is not starting: Error 5 access denied. Thanks, Alex

sc query dps service_name: dps type: 20 win32_share_process state: 1 stopped win32_e3xit_code: 5 (0x5) Service_Exit_code: 0 (0x0) checkpoint: 0x0 wait_hint: 0x0

The diagnostic policy service on a 2008 server will not start: error 5 access denied. net start dps: The Diagnostic Policy Service Service service could not be started: a system error has occurred, system error 5 has occurred. access is denied. the event log gives no information as to what access was denied (security), leading me to suspect it is a registry permission (Trusted installer does have full control of the DPS hive). When attempting to use Process Monitor to see what is being denied, I see only sucess, buffer overflow, and name not found. (name not found mostly under hklm\system\ccs\control]wdi\...) Suggestions as to how this may be troubleshot?

Hi am2o, Sorry for the delay. Please first make sure the operating system is up to date with the latest security patches and Service Pack. Based on my research, I suggest you following the steps below to troubleshoot this problem: 1. Click Start menu – All Programs – Accessories, right click on Command Prompt and select "Run as administrator" 2. Type "Net start DPS" and run it again. What’s the result? If the problem continues, please try Daniel’s suggestion in the comments of this article: http://itsvista.com/2007/04/diagnostic-policy-service/ Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information. Regards, Bruce

For steps 1;2: Net start DPS as admin-> A system error has occurred. System error 5 has occurred. Access is denied. I'm not sure I understand Daniel's suggestion "To add the following users to the security properties on the c: drive 'Authenticated Users, Users, Creator Owner'" with no mention of permissions: My permissions read as follows: The following have the listed permissions on this folder, subfolders & files: { System: Full control; Administrators: Full Control; Users: Create Folders / append data; Users: RX; Authenticated Users: RX}; Creator Owner: Special (full to subfolders & Files); Users: Special (Create Files / write data: Subfolders only) If I have to propigate "Authenticated Users" full control to all files and folders, I think the appropriate answer is rage-face ;)