After a new security-hardening Group Policy Object (GPO) was linked to the OU that contains a Windows Server 2022 file-backup server, the custom BackupAgent service-configured to run under the DOMAIN\backup_svc account-now fails to start.
System-level Event ID 7000 shows: "The BackupAgent service failed to start due to the following error: The service did not start due to a logon failure."
The DOMAIN\backup_svc password has not changed, DNS and network connectivity test cleanly, and no firewall rules were modified. Which specific User Rights Assignment setting in the GPO is the MOST likely cause and should be corrected to restore the service?
Remove the account from Deny log on through Remote Desktop Services
Add the DOMAIN\backup_svc account to Allow log on locally
Grant the DOMAIN\backup_svc account the Log on as a service right
Assign the DOMAIN\backup_svc account the Log on as a batch job right
Windows services that run under a domain or local user account must have the Log on as a service (SeServiceLogonRight) privilege. When a GPO removes that right-or overwrites it with a blank list-the service account cannot obtain a logon token, so Windows records Event ID 7000 and reports a logon failure. Re-granting the DOMAIN\backup_svc account the Log on as a service right (or moving it to a group that already has the right) allows the Service Control Manager to authenticate the account and start the BackupAgent service.
The other options would not resolve this symptom:
Allow log on locally governs interactive console logons, not service logons.
Log on as a batch job applies to scheduled tasks, not background services.
Deny log on through Remote Desktop Services affects RDP sessions and would not prevent a service from starting.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does 'Log on as a service' mean and why is it important for Windows services?
Open an interactive chat with Bash
What steps can you take to re-grant the 'Log on as a service' right to an account?
Open an interactive chat with Bash
What’s the significance of Event ID 7000 when troubleshooting service startup issues?