none
How do I Assign the Log on as a service user right to NT SERVICE\ALL SERVICES with THIS group policy editor?

    Question

  • I am almost finished with the exhaustive summer task of transitioning a Server 2003 network with four servers, SQL 2005, and Exchange 2003 to Server 2012, Exchange 2013 and 2014. There's been no end of undocumented bugs and glitches along the way. However, it seems that Microsoft has saved the best for last.

    The final task is getting WSUS set up.  As per usual, what should have been a straightforward role installation has run into an undocumented brick wall that was inevitable.  (If it happens on a fresh install of Server 2012, you KNOW that they didn't beta-test it.) 

    I found a third party description of the EXACT problem that I'm having, along with the solution:

    WSUS Role failed on Windows server 2012 with error “the operation cannot be completed because the server that you specified requires a restart”

    The solution is to add the "log on as a service" right to NT SERVICE\ALL SERVICES in the group policy management console.  The author provides nice illustrations of the steps to take. 

    Here's where my frustrations really peak.  This is HIS Server 2012 (not R2) group policy management console:

    And this is MY Server 2012 group policy management console:

    No "user rights assignment" section.  There's a "delegation" tab, but you can't add NT SERVICE\ALL SERVICES to it -- you get "not found" for both the local machine and the domain.  Can anybody tell me how to accomplish what the author accomplished using the limited group policy console I have or a powershell script?

    Wednesday, September 02, 2015 3:09 PM

Answers

  • No "user rights assignment" section.  There's a "delegation" tab, but you can't add NT SERVICE\ALL SERVICES to it --

    You are currently on the Group Policy Management Console, you will have to open Group Policy Management Editor to edit/configure a policy setting.
     
    As mentioned by Joey above, you just right click on the GPO you'd like to edit, then select "Edit".
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    • Marked as answer by ArtSnob Thursday, September 03, 2015 11:48 AM
    Thursday, September 03, 2015 8:12 AM
    Moderator
  • In the left pane, right click the GPO you want to edit and select edit.   Drill down to Computer Configuration>Windows Settings>Security Settings>Local Polices>User Rights Assignment.  You find Log on as a service in the right pane.

    Thursday, September 03, 2015 6:40 AM
  • I talked to Microsoft Technical Support, and found out what the problem was.  I was trying to install it on a domain controller, and that's a no-no.

    https://technet.microsoft.com/en-us/library/ff646928(v=ws.10).aspx

    You'd almost think that they'd make it IMPOSSIBLE to ATTEMPT to install it on a domain controller with a warning message, and avoid the white papers, user frustration and service calls, but that would take an extra 10 minutes of programming.

    • Marked as answer by ArtSnob Thursday, September 03, 2015 9:45 PM
    Thursday, September 03, 2015 9:45 PM

All replies

  • When you define the settings for Log on as a service and you click Add User or Group, simply Type NT SERVICE\ALL SERVICES in the User and group names box. Don't click browse.  When you apply the policy to the server it will apply it just as you defined.
    Wednesday, September 02, 2015 9:19 PM
  • The question is where DO you define the settings for log on as a service in the group policy management console I have to work with.

    Wednesday, September 02, 2015 10:36 PM
  • In the left pane, right click the GPO you want to edit and select edit.   Drill down to Computer Configuration>Windows Settings>Security Settings>Local Polices>User Rights Assignment.  You find Log on as a service in the right pane.

    Thursday, September 03, 2015 6:40 AM
  • No "user rights assignment" section.  There's a "delegation" tab, but you can't add NT SERVICE\ALL SERVICES to it --

    You are currently on the Group Policy Management Console, you will have to open Group Policy Management Editor to edit/configure a policy setting.
     
    As mentioned by Joey above, you just right click on the GPO you'd like to edit, then select "Edit".
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    • Marked as answer by ArtSnob Thursday, September 03, 2015 11:48 AM
    Thursday, September 03, 2015 8:12 AM
    Moderator
  • Thanks.  I had gotten to this point by using the group policy snap-in for MMC, but it's nice to know that server manager allows complete access.

    Unfortunately, my bigger problem (see the link in my first message) persists -- NT Service\MSSQL$SQLEXPRESS still will not log in as a service with both it and NT Service\ALL SERVICES added to the log on as a service properties.

    Thursday, September 03, 2015 12:22 PM
  • I talked to Microsoft Technical Support, and found out what the problem was.  I was trying to install it on a domain controller, and that's a no-no.

    https://technet.microsoft.com/en-us/library/ff646928(v=ws.10).aspx

    You'd almost think that they'd make it IMPOSSIBLE to ATTEMPT to install it on a domain controller with a warning message, and avoid the white papers, user frustration and service calls, but that would take an extra 10 minutes of programming.

    • Marked as answer by ArtSnob Thursday, September 03, 2015 9:45 PM
    Thursday, September 03, 2015 9:45 PM