How to add NT Virtual Machine\Virtual Machines to GPO?

I have a Windows 2012 Server with Hyper-V enabled and a few virtual machines.

My current configuration has a few account in the "Log on as a service" list in the domain policies, and sometimes this prevent my virtual machines from starting, I get this error:

Error 0x80070569 ('VM_NAME' failed to start worker process: Logon Failure: The user has not been granted the requested logon type at this computer.

As described in this KB I would like to add NT Virtual Machine\Virtual Machines to my "Log on as a service" list to resolve my problem.

My problem is that when I try to add that user to my domain policy I get an error message:

The following account could not be validated

My domain controller obviously doesn't know about that user since it's not an Hyper-V enabled server.

How can I add that account to my Domain Policies?

The accepted answer didn't work for me - domain controller being Windows 2012 (not R2).

What did work for me I found here: https://social.technet.microsoft.com/Forums/en-US/d56f2eae-726e-409a-8813-670a406593e8/server-2012-hyperv-lost-quotnt-virtual-machinevirtual-machinesquot-permissions-to-quotlog-on?forum=winserverhyperv

which I've copied below:

1. If you already define "logon as a service" rights via GPO, locate the applicable GPO.

   If not, you will have to create one. The setting to be defined is Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a service. Edit the new GPO and set this policy to be defined.

2. Next you will have to backup the GPO.

   Right click the Group Policy Objects folder listed under your domain in gpmc.msc, click "Back Up..." and select a folder to save the GPO to.

3. Open the folder containing the GPO you backed up, it will have a sub folder named with a random GUID. Navigate down through the folder following the path: <GUID>\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit

4. Open the GptTmpl.ini file in notepad.

5. Look for the line that starts with "SeServiceLogonRight =", this is the line we need to edit.

   Add '*S-1-5-83-0' to the right side of the "=" operator. Place a comma between this SID and any others already in that line or any other groups/SIDs you need to assign logon as a service rights to. Save.

6. Locate the GPO in the Group policy Objects folder, right click on it and select "Import Settings," navigate to the parent folder where you backed the GPO up to, IE: the folder 1 level above the folder referenced in step 3.

7. Finish the GPO import. Using a migration table should not be necessary if you backup, edit the file, and import settings all on the same machine without additional edits.

8. Here is a quick example of what the minimal config should look like (yours may have additional SIDs or policies included in the GptTmpl.ini file):

[Unicode] Unicode=yes [Version] signature="$CHICAGO$" Revision=1 [Privilege Rights] SeServiceLogonRight = *S-1-5-83-0

After a successful import, make sure you update your group policy before trying to create/start a VM.