sc.exe config "Service Name" obj= "DOMAIN\User" password= "password" not working

The first thing to check is if that user has permission to Log On As A Service in that machine. If he does (and you can do the following procedure to check this), just go to the service (Start Menu - type "services", without the quotes). Find your service on the list, and right-click on it. Select "Properties", and go to the "Log On" tab. Retype the "Password" and "Confirm password". Click OK. If your user DOES have permission to Log On as a Service, a message "The account YourDomain\YourUser has been granted the Log On As a Service right". Just try to start the service again, and it will work.

If your user does not have this kind of permission, you can use one of these two approaches:

1) Start menu - type "local security policy" without the quotes. Open the "Local Policies", then left-click on "User Rights Assignment". On the right panel, right-click on "Log on as a service", and select "Properties". Click on "Add User or Group" and add your user. Click OK. You might have to reboot your machine.

2) Download and install the "Windows Server 2003 Resource Kit Tools" (http://www.microsoft.com/en-us/download/confirmation.aspx?id=17657). Open a command prompt and type:

ntrights +r SeServiceLogonRight -u MyDomain\MyUser -m \\%COMPUTERNAME%

Reboot your computer and try to start the service again.

After your user has been granted the Log On As A Service right, you can create and start services through the command line.


If you face The account YourDomain\YourUser has been granted the Log On As a Service right, you should execute powershell script link AddLogonasaService and this is nothing to do with your password. It's a right/permission for an user to run the service.

Am embedding the code for your reference. You can refer that URL as well.

param($accountToAdd)
 #written by Ingo Karstein, http://blog.karstein-consulting.com
 #  v1.0, 01/03/2014

 ## <--- Configure here

 if( [string]::IsNullOrEmpty($accountToAdd) ) {
    Write-Host "no account specified"
    exit
 }

 ## ---> End of Config

 $sidstr = $null
 try {
    $ntprincipal = new-object System.Security.Principal.NTAccount "$accountToAdd"
    $sid = $ntprincipal.Translate([System.Security.Principal.SecurityIdentifier])
    $sidstr = $sid.Value.ToString()
 } catch {
    $sidstr = $null
 }

 Write-Host "Account: $($accountToAdd)" -ForegroundColor DarkCyan

 if( [string]::IsNullOrEmpty($sidstr) ) {
    Write-Host "Account not found!" -ForegroundColor Red
    exit -1
 }

 Write-Host "Account SID: $($sidstr)" -ForegroundColor DarkCyan

 $tmp = [System.IO.Path]::GetTempFileName()

 Write-Host "Export current Local Security Policy" -ForegroundColor DarkCyan
 secedit.exe /export /cfg "$($tmp)" 

 $c = Get-Content -Path $tmp 

 $currentSetting = ""

 foreach($s in $c) {
    if( $s -like "SeServiceLogonRight*") {
        $x = $s.split("=",[System.StringSplitOptions]::RemoveEmptyEntries)
        $currentSetting = $x[1].Trim()
    }
 }

 if( $currentSetting -notlike "*$($sidstr)*" ) {
    Write-Host "Modify Setting ""Logon as a Service""" -ForegroundColor DarkCyan

    if( [string]::IsNullOrEmpty($currentSetting) ) {
        $currentSetting = "*$($sidstr)"
    } else {
        $currentSetting = "*$($sidstr),$($currentSetting)"
    }

    Write-Host "$currentSetting"

    $outfile = @"
 [Unicode]
 Unicode=yes
 [Version]
 signature="`$CHICAGO`$"
 Revision=1
 [Privilege Rights]
 SeServiceLogonRight = $($currentSetting)
 "@

    $tmp2 = [System.IO.Path]::GetTempFileName()


    Write-Host "Import new settings to Local Security Policy" -ForegroundColor DarkCyan
    $outfile | Set-Content -Path $tmp2 -Encoding Unicode -Force

    #notepad.exe $tmp2
    Push-Location (Split-Path $tmp2)

    try {
        secedit.exe /configure /db "secedit.sdb" /cfg "$($tmp2)" /areas USER_RIGHTS 
        #write-host "secedit.exe /configure /db ""secedit.sdb"" /cfg ""$($tmp2)"" /areas USER_RIGHTS "
    } finally { 
        Pop-Location
    }
 } else {
    Write-Host "NO ACTIONS REQUIRED! Account already in ""Logon as a Service""" -ForegroundColor DarkCyan
 }

 Write-Host "Done." -ForegroundColor DarkCyan

To set the identity for services, I have used a vbscript

Set colServiceList = objWMIService.ExecQuery _
("Select * from Win32_Service where Name = 'Servicename'")
For Each objservice in colServiceList   
errReturn = objService.Change( , , , , , ,WScript.Arguments.Item(0),   WScript.Arguments.Item(1)) 
objService.StartService()   
Next

Where WScript.Arguments.Item(0) is the username arg and WScript.Arguments.Item(1) is password.