Unable to connect to a VPN with Windows Vista Business/Ultimate after joining it to a domain?

If you’re running Microsoft Windows Vista Business or Ultimate edition and the machine is part of an Active Directory (or Samba) domain, you might run into problems when connecting to a VPN (Virtual Public Network).

When you go through Vista Start -> Connect To -> Set up a connection or network -> Connect to a workplace:

VPN.jpg

After you go through the process of adding the VPN, the dialog box just disappears or it says it can’t connect.

If you look at the Event log, it may show errors 651, 1068 or 1297 when starting the firewall, telephony, application layer gateway service, or remote access connection manager. If you attempt to start the services manually, you will very likely get the same errors.

Cause: The permissions required to start these services have been revoked when you joined the computer to a domain. When the (domain) group policy includes “user rights assignment -> adjust memory quotas for a process”, Vista will wipe out any local permissions for this particular setting.

Workaround: Reset the policy for “user rights assignment -> adjust memory quotas for a process”. A word of warning, contact your windows system administrator for permission to do this or have that person do it. DO NOT DO THE FOLLOWING WITHOUT EXPRESS PERMISSION FROM YOUR SYSTEM ADMINISTRATOR! You will need to have local administrator rights for this.

Control Panel -> Administrative Tools -> Local Security Policy -> Local Policies -> User Rights Assignment

policy.jpg

Make sure that LOCAL SERVICE and NETWORK SERVICE are listed.

Next, start the command prompt in Administrator Mode: Vista Start -> Accessories -> (right click on Command Prompt and choose “Run as Administrator”):

command_prompt.jpg

Type “gpupdate“.

Finally, reboot the machine. The services should start right up now. Go and reset up your vpn. 🙂

Share Button

4 Replies to “Unable to connect to a VPN with Windows Vista Business/Ultimate after joining it to a domain?”

  1. A very nice tip! Thank you for sharing it. That is the kind of tweak that is prone to misuse. And it’s imporatant for an administrator to keep it in mind. By the way, aside from the policy itself there’s a handy way to do such fixes selectively for the user without either having the user to have the administrative rights or the administrator to visit that user computer personally. I frequently use Desktop Authority’s feature to maintain similar tasks from my computer. Here’s the page that describes the remote administration feature on their site. The good thing is that it’s possible to change something and then execute the gpupdate remotely and freshen the changes on the user policy.

  2. Sometimes the group policy from the domain may restrict you to make changes to “User Rights Assignment” (secpol.msc)

    For telephony service you could to to registry (regedit)
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTapiSrv
    Edit: RequiredPrivileges
    from the list remove the entry “SeIncreaseQuotaPrivilege”

Leave a Reply

Your email address will not be published. Required fields are marked *