How to add NT Virtual Machine\Virtual Machines to GPO?

2

I have a Windows 2012 Server with Hyper-V enabled and a few virtual machines.

My current configuration has a few account in the "Log on as a service" list in the domain policies, and sometimes this prevent my virtual machines from starting, I get this error:

Error 0x80070569 ('VM_NAME' failed to start worker process: Logon Failure: The user has not been granted the requested logon type at this computer.

As described in this KB I would like to add NT Virtual Machine\Virtual Machines to my "Log on as a service" list to resolve my problem.

My problem is that when I try to add that user to my domain policy I get an error message:

The following account could not be validated

My domain controller obviously doesn't know about that user since it's not an Hyper-V enabled server.

How can I add that account to my Domain Policies?

windows
hyper-v
windows-server-2012
asked on Server Fault Mar 29, 2014 by user214468 • edited Mar 29, 2014 by Andrew Schulman

3 Answers

2

The accepted answer didn't work for me - domain controller being Windows 2012 (not R2).

What did work for me I found here: https://social.technet.microsoft.com/Forums/en-US/d56f2eae-726e-409a-8813-670a406593e8/server-2012-hyperv-lost-quotnt-virtual-machinevirtual-machinesquot-permissions-to-quotlog-on?forum=winserverhyperv

which I've copied below:

  1. If you already define "logon as a service" rights via GPO, locate the applicable GPO.

    If not, you will have to create one. The setting to be defined is Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a service. Edit the new GPO and set this policy to be defined.

  2. Next you will have to backup the GPO.

    Right click the Group Policy Objects folder listed under your domain in gpmc.msc, click "Back Up..." and select a folder to save the GPO to.

  3. Open the folder containing the GPO you backed up, it will have a sub folder named with a random GUID. Navigate down through the folder following the path: <GUID>\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit

  4. Open the GptTmpl.ini file in notepad.

  5. Look for the line that starts with "SeServiceLogonRight =", this is the line we need to edit.

    Add '*S-1-5-83-0' to the right side of the "=" operator. Place a comma between this SID and any others already in that line or any other groups/SIDs you need to assign logon as a service rights to. Save.

  6. Locate the GPO in the Group policy Objects folder, right click on it and select "Import Settings," navigate to the parent folder where you backed the GPO up to, IE: the folder 1 level above the folder referenced in step 3.

  7. Finish the GPO import. Using a migration table should not be necessary if you backup, edit the file, and import settings all on the same machine without additional edits.

  8. Here is a quick example of what the minimal config should look like (yours may have additional SIDs or policies included in the GptTmpl.ini file):

[Unicode] Unicode=yes [Version] signature="$CHICAGO$" Revision=1 [Privilege Rights] SeServiceLogonRight = *S-1-5-83-0

After a successful import, make sure you update your group policy before trying to create/start a VM.

answered on Server Fault Dec 17, 2019 by Brian Cryer
1

Looks like the quoted KB has been updated:

LINK: http://support.microsoft.com/kb/2779204/

Solution:

Perform the following steps on the Hyper-V host machine:

Logon as a Domain Administrator

Install the Group Policy Management feature from the Server Manager console

After installation, open the GPMC MMC snap-in and browse to the policy that manages User Rights

Open the Group Policy Management console and browse to the policy that manages User Rights

Edit the policy to include NT Virtual Machine\Virtual Machines in the entries for Log on as a Service

Close the policy editor and initiate a gpupdate /force on the Hyper-V host computer to refresh policy. (You may need to wait several minutes for Active Directory replication to occur).

This enabled me to add NT Virtual Machine\Virtual Machines to my domain policies regarding users allowed to log on as service.

answered on Server Fault Mar 29, 2014 by Mohamed Wali • edited Mar 4, 2019 by Michael Hampton
0

I was having the same issue and it was driving me nuts. Simply restarting the server fixed the "Log on as a service" error. Hope this helps someone else and saves them some time.

answered on Server Fault Mar 6, 2015 by David Thomas Garcia

User contributions licensed under CC BY-SA 3.0