When attempting to start the RM Unify AD Sync Service, you may receive the following error message:
"Microsoft Management Console
Could not start the RM Unify AD Sync Service on Local Computer
Error 1069: The service did not start due to a logon failure."

If you have just installed RM Unify AD Sync and are trying to launch the RM Unify AD Sync Configuration tool for the first time you may find that the tool halts at "Waiting for database configuration to complete" and does not continue after five minutes.

The RM Unify AD Sync Service user account (identitysyncservice) does not have the 'Log on as a service' right.

This right should be assigned automatically during the RM Unify AD Sync Service installation, however, if this does not happen, then it will need to be assigned manually.

If you have a vanilla network, please seek advice from your network support engineer or team on how to manually assign this 'Log on as a service' right.

If you have a Community Connect® 4 (CC4) network and are familiar with group policies then you can assign 'Log on as a service' right yourself by following the steps in the Procedure section below.

Depending on your server operating system, CC4 version and whether you have installed RM Unify AD Sync on a domain controller or member server, the 'Log on as a service' setting could be set in:

• Default Domain Controllers policy.
• RM Member Server policy.
• Local Security policy.

Note: The golden policy rule is that one should only append to an existing list of user accounts (should this be in the Default Domain Controllers. RM Member Server or the Local Security policy). Upon checking each policy, if you see the only option is to tick the 'Define these policy settings' box, then this is not the policy to enable and edit. Select the other one.

1. Run gpmc.msc to open Group Policy Management
2. Expand Group Policy Objects container
3. Click the Default Domain Controller policy (or RM Member Server policy if RM AD Sync is installed on a member server) and in the right-hand pane click the Settings tab.
4. In the top-right corner, click Show all.
5. Browse through Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies/User Rights Assignment
6. Locate the 'Log on as a Service' setting. If the setting is not present here, then this GPO does not deliver the setting.  Skip to step 17 to check if it has been defined directly by the local Security policy.
7. When located, right-click the Default Domain Controller policy (or RM Member Server policy if RM Unify AD Sync is installed on a member server and you have located it in this policy) and click 'edit'.
8. On the new window, expand Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, User Rights Assignment.
9. Locate the 'Log on as a service' policy. If this is set as Not Defined, close all windows and skip to step 17. Otherwise double-click the policy.
10. If the user 'identitysyncservice' is already listed, select and remove it.
11. Click 'Add User or Group', click Browse
12. Type identitysyncservice and click Check Names to populate the box with the full name of the user account.
    Important note: You must click Check Names to ensure that the correct user account is added. Do not simply type identitysyncservice and click OK.
13. Click OK, OK. The user CC4\identitysyncservice should now appears in the list.
14. Click OK.
15. Close all the Group Policy windows and skip to step 24 below.
16. On the AD Sync server, open the Local Security policy (secpol.msc).
17. Expand Local Policies, User Right Assignment and double-click the 'Log on as a service' policy.
18. If the user 'identitysyncservice' is already listed, remove it.
19. Click 'Add User or Group'.
20. Type identitysyncservice and click Check Names to populate the box with the full name of the user account.
    Important note: You must click Check Names to ensure that the correct user account is added. Do not simply type identitysyncservice and click OK.
21. Click OK, OK
22. The user <CC4_domain>\identitysyncservice should now appear in the list.
23. On the AD Sync server, open a command prompt and type GPUpdate /force.
24. Press Enter to update the server policies and then confirm that both Computer Policy and User Policy report as completing successfully.

In cases of misconfigured group policies, or where there are multiple group policies delivering the 'Log on as a service right', you can use resultant set of policy on the affected server to identify which group policy delivered the setting:

1. On the RM Unify AD Sync server, run mmc.exe.
2. Click File, 'Add/Remove Snap-in'.
3. Click 'Resultant Set of Policy', Add, OK.
4. Click 'Resultant Set of Policy'.
5. Click Action, Generate RSoP Data.
6. Click Next at each stage of the wizard to accept each default setting.
7. Click Finish.
8. Browse to Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies and click User Rights Assignment.
9. In the right-hand window, find 'Log on as a service' and identify the name of the winning group policy under the Source GPO column.