Windows Firewall function fails after joining Vista clients into Windows 2000 domains

You may experience the issue about no SeIncreaseQuotaPrivilege privilege under “Local Service” account after joining Vista to Windows 2000 domain. This could cause several services (Telnet, Firewall etc) not being able to start. The typical symptom is described as follows:

When joining Vista client to Windows 2000 domain, after Vista client receive group policy and reboot. it will have some problem to manage the firewall settings.

1. Windows Firewall service (mpssvc) cannot be started with error message "1279, a privilege that the service requires to function properly does not exist in the service account configuration"

2. Cannot open "Windows Firewall with Advance configuration Security", the MMC snap-in will return error 0x6D9

It is because SeIncreaseQuotaPrivilege for “Local Service” account is missing. In Windows Vista, SeIncreaseQuotaPrivilege privilege is required to start Firewall service and the account to start Windows Firewall service is "Local Service", (this is different to the Local System). In Windows 2000 Domain environment, the default confgiruation for "Increase Quota" is only assigned to Administrators. Thus after Vista get the domain policy, the Local service's SeIncreaseQuotaPrivilege will be revoked.

The solution is to give SeIncreaseQuotaPrivilege to Local Service.

To do that, open group policy editor and locate Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment

On Windows 2000 Group policy Editor, Find "Increase Quota" and add "Local Service" to the list

Other information

Windows 2000 AD, the default confgiruation for "Increase Quota" is assigned to Administrators. From Windows 2003, it will change the policy name to "Adjust Memory quotas for a process” and be given to Administrators. Local Service, Network Services and IWAM_[machinename] by default.