The same problem I met with.. The only difference that in my case the inactive setting is the "Log on as a service" ... Yesterday I added a new domain service user to the Domain Security Policy's "Log on as a service" field. There're 2 W2k SP4 DCs here, Native mode (no pre-2000 DCs). The server I'm trying to set is W2K3 SP1, up-to-date. Any ideas?