SharePoint 2007: Troubleshooting Errors 7000 and 7041
Status: Final
Introduction
This posting engages the topic of SharePoint service accounts and their local user rights assignments. In particular, it presents a problem involving service account user rights and GPO refresh and how the problem was discovered, analyzed and resolved. SharePoint service accounts lacking necessary user rights assignments can cause performance degradation [see ref 4] and even operational failure. While this posting engages this for SharePoint 2007, the discussion presented here is equally applicable to on-prem SharePoint 2010, 2013 and 2016 since all of these versions use service accounts that must be provisioned with appropriate user rights.
Background
I had completed an installation of SharePoint Server 2007 Standard onto Windows Server 2003 R2 Enterprise. Domain accounts had been created and configured for the various SharePoint services, as recommended [see ref 1]. Both SP1 and 2 had been installed. No issues. No problems. The next day, I check the Windows Server event logs and found the system event log filled with 7000 and 7041 event errors that repeated frequently (see note 1 below).
Troubleshooting
- Analyzed Windows event log history
- Provisioned service accounts with Log on as a service user right.
- Checked the next day and found the same events appearing again.
- Checked Resultant Set of Policy and found that these service accounts no longer had the Log on as a service user right.
- Provisioned service accounts with Log on as a service user right.
- Checked later the same day and found same events appearing again.
- Checked Resultant Set of Policy and found that these service accounts no longer had the Log on as a service user right
- Analyzed event history
- Found that these events began after about 3 AM.
- Discussed with system admin
- System admin informed me that GPO refresh occurred at 3 AM daily for this system.
- System admin checked and found that service accounts were not configured in GPO with Log on as a service right.
- Submitted request to have this right added to GPO for service accounts.
- Change was implemented same day.
- Analyzed Windows event log history following day
- Error events 7000 and 70041 no longer appeared
Solution
- Check RSoP to determine if Log on as a service right is provisioned for service accounts.
- Ensure that Search and SharePoint timer service accounts are configured n GPO to have the Log as a service user right assignment.
References
- Plan for administrative and service accounts (Office SharePoint Server) - Microsoft TechNet | SharePoint Server 2007
- Add the Log on as a service right to an account - TechNet | Windows Server 2003 | Manage an ADAM Instance
- EventID.NET
- SharePoint 2013: Service Account Configurations and Permissions
- SharePoint 2013: search crawls taking unusually long time to complete
Notes
Windows Server event log errors that were initially observed:
Event Type Error Event Source Service Control Manager Event Category None Event ID 7041 Date 6/17/2010 Time 1:50:45 PM User N/A Computer [servername] Description
The SPsearch service was unable to log on as .\[account name] with the currently configured password due to the following error:
Logon failure: the user has not been granted the requested logon type at this computer.
Service: SPSearch
Domain and account: .\[account name]
User Action
Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node i a cluster, check that this user right is assigned to the cluster service account on all nodes in the cluster.
If you have already assigned this user right to the service account, and the user right appears to be removed, a Group Policy object associated with this node might be removing the right. Check with your domain administrator to find out if this is happening.
For more information...
and
Event Type Error Event Source Service Control Manager Event Category None Event ID 7000 Date 6/17/2010 Time 1:50:45 PM User N/A Computer [servername] Description
The Windows SharePoint Services Search service failed to start due to the following error: The service did not start due to a logon failure.
For more information...
and
Event Type Error Event Source Service Control Manager Event Category None Event ID 7041 Date 6/17/2010 Time 1:50:45 PM User N/A Computer [servername] Description
The SPTimer service was unable to log on as .\[account name] with the currently configured password due to the following error: Logon failure: the user has not been granted the requested logon type at this computer.
Service: SPTimerV3
Domain and account: .\[account name]
User Action
Assign "Log on as a service" to the service account on this computer. You can use Local Security Settings (Secpol.msc) to do this. If this computer is a node i a cluster, check that this user right is assigned to the cluster service account on all nodes in the cluster.
If you have already assigned this user right to the service account, and the user right appears to be removed, a Group Policy object associated with this node might be removing the right. Check with your domain administrator to find out if this is happening.
For more information...
and
Event Type Error Event Source Service Control Manager Event Category None Event ID 7000 Date 6/17/2010 Time 1:50:45 PM User N/A Computer [servername] Description
The Windows SharePoint Services Timer service failed to start due to the following error: The service did not start due to a logon failure.
For more information...