Environment

• App Control Server: All Supported Versions
• Windows Server: All Supported Versions

Symptoms

• App Control Server works after install, but quits after a restart. 
• App Control Server & Reporter services are unable to start, referencing a "Access Denied" or "Invalid Username or Password"
• DefaultAppPool in IIS will stop every time you try to visit the site. 
• Local Security Policy after reboot doesn't show the Carbon Black Service Account listed. 

Cause

• Log on as Batch Job
• Log on as Service

Resolution

1. If you need these settings to be controlled by GPO, then you should add the user account used by the service to be pushed. 
2. Open your domain controller and edit the Group Policy Object that's pushing the two items, Log on as Batch Job and Log on as Service. 
3. Navigate to these items under Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
4. Hit the Add User or Group button and add the service account. Note that only a domain account can be added, local users cannot be added. 
5. If the service account you're using is local only, a domain account would need to be created. 

1. If the Log on as Service and Log on as Batch Job are being pushed by GPO, but you don't actually need this, they can be disabled. 
2. Edit the GPO policy that's pushing these settings. 
3. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
4. Edit the Log on as Service, and Log on as Batch Job and uncheck the "Define these policy settings" checkbox. 
5. On the Cb Protection Server open the Local Security Policy under Administrative Tools
6. Manually add the user account to those Log on rolls under Local Policies > User Rights Assignment 

Related Content

App Control: What permissions are needed for the App Control Service account on the App Control serv...
App Control: How Do We Assign the Required Permissions to Our App Control Server Service Account in ...