Wsus role and feature addition on 2012 R2 fails to install logging this message:


  • Fatal Error: Cannot start service MSSQL$MICROSOFT##WID on computer '.'.

    The specified account has not been given login as a service right.

    Now, I'm assuming they create that goofy named account to run the instance of the internal db, but they have apparently forgot to add automation to set the right to logon as a service. This is a bug, I have the same results on two different server 2012 R2 installs. Is there a manual fix for this somewhere I can try? Very irritating.

    Thursday, June 26, 2014 4:20 PM

All replies

  • Hi,

    >>Fatal Error: Cannot start service MSSQL$MICROSOFT##WID on computer '.'.

    >>The specified account has not been given login as a service right.

    Regarding this error, we can refer to the following article to troubleshoot.

    "MSSQL$MICROSOFT##WID service was unable to log on as NT SERVICE\MSSQL$MICROSOFT##WID" error when you install WID in Windows Server 2012

    Besides, the following thread focused on the similar issue and can be referred to for more information.

    WSUS roles install on Server 2012 Fails

    Best regards,

    Frank Shen

    Friday, June 27, 2014 5:18 AM
  • > they have apparently forgot to add automation to set the right to logon
    > as a service
    Are these servers member of a domain? In this case, the logon as service
    privilege might get overridden within a domain GPO...


    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, June 30, 2014 10:12 AM
  • I fixed the problem by installing the windows internal database feature only. Let it fail then reboot and the NT SERVICE\MSSQL$MICROSOFT##WID account is apparently created. Now go into default domain policy and setup computer rights for this user to logon as a service. Once you do this, reboot, then install the windows internal database and it will complete. NOW, you can install wsus without a problem.

    Ridiculous. By default all virtual accounts should be able to logon as a service. Since the account is virtual I don't understand why this would be a security problem. Please fix that.

    Tuesday, July 01, 2014 4:49 PM
  • When I attempt to do this on a domain controller, in Group Policy Management Editor, I get the message "the following accounts could not be validated: NT SERVICE\MSSQL$MICROSOFT##WID

    Does this imply that I need to first upgrade our domain controllers to Server 2012R2?

    Thursday, June 18, 2015 6:44 PM
  • Like others I don't have the option of editing local security policy and the group policy editor doesn't recognise anything remotely like the various NT SERVICE\ accounts being suggested. However, after a bit of tinkering the following solved the problem (this site won't let me post a link to the site I found it until my account has been verified):

    1.Open the group policy editor and navigate to the Default Domain Policy (unless on domain controller, in which case to Default Domain Controller Policy instead)
    2.Navigate to Policies -> Windows Settings -> Security Settings -> Local Policy -> User Rights Assignment
    3.Find the “Log on as a service” policy and edit it.
    4.Click on “Add user or group” button.
    5.Add the following users: IIS_WPG, NETWORK, NETWORK SERVICE, SERVICE
    6.Open an elevated command prompt, enter gpupdate /force. Wait for it to successfully complete
    7.Now try and run WSUS again.

    I can't believe this is still an issue though. What a shambles.

    Thursday, June 25, 2015 4:19 PM
  • @Miked1880

    I am so very indebted to you for posting this solution to the problem described. As you wrote - "what a shambles". It's almost as if MS don't want you to update or even use their frigging product.

    Thursday, January 21, 2016 3:30 PM