Nothing is more frustrating than doing everything right and when the moment of payoff appears, getting some MSCryptic error message with no hint as to what the real issue may be.  During a recent setup of SharePoint 2010 I followed my usual script of installing the system and configuring everything using Central Admin.  It went without a hitch until the reboot of the WFE when IIS 7.5 returned a nice 503 error instead of what we were expecting.

The Event Logs and SharePoint logs were useless… Until I saw the Windows Process Activation Service (WAS) error.

Long story short, in some locked down domains where the admins go a little GPO crazy a domain group policy may override some of the permissions of the application pool accounts, specifically the “Log on as batch job” permissions.  The applicaion pool account needs to be allowed the log on as batch job policy, and the farm admin account and all other service accounts need to be allowed the “Log on as service” permissions.  So while the setup and initial running of SharePoint was great and everything appeared to be working, it was the server reboot that was the culprit as the first time after a reboot the policies are overwritten with the more restrictive domain policies.

The solution is to add the app pool accounts to the “Log on as batch job” and all the service accounts to the “Log on as service” domain policies and run a “gpupdate /force” to upgrade the policy on the WFE.  Just for good measure do another reboot and you should see SharePoint in all it’s glory humming along and ready for content.