sc.exe config "Service Name" obj= "DOMAIN\User" password= "password" not working

Question

I want to set password for a service from the cmd. I got the option

sc.exe config "Service Name" obj= "DOMAIN\User" password= "password"

When I execute, its showing "[SC] ChangeServiceConfig SUCCESS" and if I start the service I am getting

"Windows could not start the service1 service on Local Computer. Error 1069: The service did not start due to a logon failure."

I searched and got the below link Using SC.exe to set service credentials password fails

My password doesn't consist of special character.

What's the option to do that?

Answer 1

The first thing to check is if that user has permission to Log On As A Service in that machine. If he does (and you can do the following procedure to check this), just go to the service (Start Menu - type "services", without the quotes). Find your service on the list, and right-click on it. Select "Properties", and go to the "Log On" tab. Retype the "Password" and "Confirm password". Click OK. If your user DOES have permission to Log On as a Service, a message "The account YourDomain\YourUser has been granted the Log On As a Service right". Just try to start the service again, and it will work.

If your user does not have this kind of permission, you can use one of these two approaches:

1) Start menu - type "local security policy" without the quotes. Open the "Local Policies", then left-click on "User Rights Assignment". On the right panel, right-click on "Log on as a service", and select "Properties". Click on "Add User or Group" and add your user. Click OK. You might have to reboot your machine.

2) Download and install the "Windows Server 2003 Resource Kit Tools" (http://www.microsoft.com/en-us/download/confirmation.aspx?id=17657). Open a command prompt and type:

ntrights +r SeServiceLogonRight -u MyDomain\MyUser -m \\%COMPUTERNAME%

Reboot your computer and try to start the service again.

After your user has been granted the Log On As A Service right, you can create and start services through the command line.

Answer 2

If you face The account YourDomain\YourUser has been granted the Log On As a Service right, you should execute powershell script link AddLogonasaService and this is nothing to do with your password. It's a right/permission for an user to run the service.

Am embedding the code for your reference. You can refer that URL as well.

param($accountToAdd)
 #written by Ingo Karstein, http://blog.karstein-consulting.com
 #  v1.0, 01/03/2014

 ## <--- Configure here

 if( [string]::IsNullOrEmpty($accountToAdd) ) {
    Write-Host "no account specified"
    exit
 }

 ## ---> End of Config

 $sidstr = $null
 try {
    $ntprincipal = new-object System.Security.Principal.NTAccount "$accountToAdd"
    $sid = $ntprincipal.Translate([System.Security.Principal.SecurityIdentifier])
    $sidstr = $sid.Value.ToString()
 } catch {
    $sidstr = $null
 }

 Write-Host "Account: $($accountToAdd)" -ForegroundColor DarkCyan

 if( [string]::IsNullOrEmpty($sidstr) ) {
    Write-Host "Account not found!" -ForegroundColor Red
    exit -1
 }

 Write-Host "Account SID: $($sidstr)" -ForegroundColor DarkCyan

 $tmp = [System.IO.Path]::GetTempFileName()

 Write-Host "Export current Local Security Policy" -ForegroundColor DarkCyan
 secedit.exe /export /cfg "$($tmp)" 

 $c = Get-Content -Path $tmp 

 $currentSetting = ""

 foreach($s in $c) {
    if( $s -like "SeServiceLogonRight*") {
        $x = $s.split("=",[System.StringSplitOptions]::RemoveEmptyEntries)
        $currentSetting = $x[1].Trim()
    }
 }

 if( $currentSetting -notlike "*$($sidstr)*" ) {
    Write-Host "Modify Setting ""Logon as a Service""" -ForegroundColor DarkCyan

    if( [string]::IsNullOrEmpty($currentSetting) ) {
        $currentSetting = "*$($sidstr)"
    } else {
        $currentSetting = "*$($sidstr),$($currentSetting)"
    }

    Write-Host "$currentSetting"

    $outfile = @"
 [Unicode]
 Unicode=yes
 [Version]
 signature="`$CHICAGO`$"
 Revision=1
 [Privilege Rights]
 SeServiceLogonRight = $($currentSetting)
 "@

    $tmp2 = [System.IO.Path]::GetTempFileName()


    Write-Host "Import new settings to Local Security Policy" -ForegroundColor DarkCyan
    $outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force

    #notepad.exe $tmp2
    Push-Location (Split-Path $tmp2)

    try {
        secedit.exe /configure /db "secedit.sdb" /cfg "$($tmp2)" /areas USER_RIGHTS 
        #write-host "secedit.exe /configure /db ""secedit.sdb"" /cfg ""$($tmp2)"" /areas USER_RIGHTS "
    } finally { 
        Pop-Location
    }
 } else {
    Write-Host "NO ACTIONS REQUIRED! Account already in ""Logon as a Service""" -ForegroundColor DarkCyan
 }

 Write-Host "Done." -ForegroundColor DarkCyan

To set the identity for services, I have used a vbscript

Set colServiceList = objWMIService.ExecQuery _
("Select * from Win32_Service where Name = 'Servicename'")
For Each objservice in colServiceList   
errReturn = objService.Change( , , , , , ,WScript.Arguments.Item(0),   WScript.Arguments.Item(1)) 
objService.StartService()   
Next

Where WScript.Arguments.Item(0) is the username arg and WScript.Arguments.Item(1) is password.

Answer 3

Probably the issue is that it doesn't want quotes around the password. Same goes for the username.

It perhaps cannot tell whether the quotes are part of the password or not.

Alternatively it may be because the given account has not been granted the "log on as a service" privilege.

Generally you should check the Security event log, which will give the reason for the logon failure.

Answer 4

This worked for me:

sc.exe stop "<my_service>" 4:4:3
sc.exe config "<my_service>" obj= "./<local_acc_name>" password= "<local_acc_pass>"
sc.exe start "<my_service>"

So, in short: stop the service before config the password and the start will work fine.