Hi,

I've installed Password Reset Client Service on a machine with locked down GPO settings. Now, service, running under NETWORK_SERVICE account doesn't start (Service Control Manager reports error 1053 after waiting 30 seconds for the service to respond during start).

If I change service account to some other account (i.e. domain account), service runs fine and I am able to reset password successfully, so there is no issues with password reset infrastructure, firewall, etc..). Problem is only with NETWORK SERVICE not having enough permission to do its job.

Unfortunately, there is no event log entries in neither of relevant event logs (Application, Security, System, Forefront Identity Manager) that would provide additional information on why service doesn't start. ProcessMonitor tracing revealed only, that service cannot access some of the registry entries. After granting permissions, service still refuses to start.

What I'd like to know is there a list of permissions, configuration entries, that NETWORK SERVICE needs in order to run normally?

If that is not available, does anybody have any idea, how to find out what is preventing NETWORK SERVICE account from running that service?

Thank you and best regards,

P

Hello Poulson, we experiences the exact same problem.

Did you found a resolution or the missing permission setting?

Regard Fatih

Hi,

After some research and troubleshooting it was determined that generatePublisherEvidence (http://msdn.microsoft.com/en-us/library/bb629393(v=vs.90).aspx) was the culprit. After disabling it, service was able to start normally.

Regards, P

Thanks for the hint, unfortunately this didn't solve our issue.

We need to do some more research and troubleshoot.

Thanks Fatih

Fatih,

The above often solves it because this disabled CRL checking for the account running the service. As the service is the network service, it has no scope off of the box, so the machine account is typically used and many shops have policies in place that prevent this. If the above entry doesn't help, try using your account as the service account. If that works, then its probably a syntax problem with above entry. If it fails with your account too then its most likely not CRL checking.  There is a registry key that can be configured that could assist:

[HKEY_LOCAL_MACHINE \System \CurrentControlSet \Control]
ServicesPipeTimeout = 30000

Try setting this to another value higher than 30000. This value is milliseconds. I would also look at network capture and verify if we are indeed attempting to go to the Internet during service startup.