locked
Server 2012 Hyper-V lost "NT Virtual Machine\Virtual Machines" permissions to "log on as a service" RRS feed

  • Question

  • We have a 2012 cluster environment running Hyper V. We have some machines that run fine on Cluster Node 1, but when we try to fail them over to other Cluster Nodes, they fail with error " Failed to create the planned virtual machine at migration destination. Logon Failure: the user has not been granted the requested logon type at this computer (0x80070569)"

    In researching this problem, I have found the following article that explains how to fix this issue. 

    http://support.microsoft.com/kb/2779204

    However, when I attempt to add "NT Virtual Machine\Virtual Machines" accounts to my GPO's, it is unable to find the account name/group "Virtual Machines". 

    Does anyone have a detailed explanation of how this should be completed? Thanks.

    Thursday, March 7, 2013 10:11 PM

Answers

  • Hi,

    The Group “NT Virtual Machine\Virtual Machines” is a special group. In Windows System there are certain special groups that are created by the system and that are used for special purposes.

    I don’t find how to grant permission for these special groups, while I found a way to add these kinds of special groups to a normal group. So you can create a local group on the Hyper- V host, we name it “VMTest”. Then run below command to add the group “NT Virtual Machine\Virtual Machines” to “VMTest”.

    Net localgroup VMTest “NT Virtual Machine\Virtual Machines” /add

    After that, grant the “VMTest” group “Log on as a Service” user right.

    Try this workaround and give us feedback for further troubleshooting.

    For more information please refer to following MS articles:

    Starting or Live Migrating Hyper-V virtual machines may fail with error 0x80070569 on Windows Server 2012-based computers
    http://support.microsoft.com/kb/2779204
    How to Add Special Groups to Built-In Groups
    http://support.microsoft.com/kb/292781

    Hope this helps!

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

     


    Lawrence

    TechNet Community Support

    • Marked as answer by Caps8Fan Saturday, March 9, 2013 3:51 AM
    Friday, March 8, 2013 6:42 AM

All replies

  • We have a 2012 cluster environment running Hyper V. We have some machines that run fine on Cluster Node 1, but when we try to fail them over to other Cluster Nodes, they fail with error " Failed to create the planned virtual machine at migration destination. Logon Failure: the user has not been granted the requested logon type at this computer (0x80070569)"

    In researching this problem, I have found the following article that explains how to fix this issue. 

    http://support.microsoft.com/kb/2779204

    However, when I attempt to add "NT Virtual Machine\Virtual Machines" accounts to my GPO's, it is unable to find the account name/group "Virtual Machines". 

    Does anyone have a detailed explanation of how this should be completed? Thanks.

    • Merged by Lawrence, Friday, March 8, 2013 6:43 AM duplicate
    • Proposed as answer by SUNPIL JUN Tuesday, June 16, 2020 8:08 AM
    • Unproposed as answer by SUNPIL JUN Tuesday, June 16, 2020 8:08 AM
    Thursday, March 7, 2013 10:12 PM
  • Hi,

    Thank you for your question. 

    I am currently looking into this issue and will give you an update as soon as possible.

    Thank you for your understanding and support.



    Lawrence

    TechNet Community Support

    Friday, March 8, 2013 5:20 AM
  • Hi,

    The Group “NT Virtual Machine\Virtual Machines” is a special group. In Windows System there are certain special groups that are created by the system and that are used for special purposes.

    I don’t find how to grant permission for these special groups, while I found a way to add these kinds of special groups to a normal group. So you can create a local group on the Hyper- V host, we name it “VMTest”. Then run below command to add the group “NT Virtual Machine\Virtual Machines” to “VMTest”.

    Net localgroup VMTest “NT Virtual Machine\Virtual Machines” /add

    After that, grant the “VMTest” group “Log on as a Service” user right.

    Try this workaround and give us feedback for further troubleshooting.

    For more information please refer to following MS articles:

    Starting or Live Migrating Hyper-V virtual machines may fail with error 0x80070569 on Windows Server 2012-based computers
    http://support.microsoft.com/kb/2779204
    How to Add Special Groups to Built-In Groups
    http://support.microsoft.com/kb/292781

    Hope this helps!

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

     


    Lawrence

    TechNet Community Support

    • Marked as answer by Caps8Fan Saturday, March 9, 2013 3:51 AM
    Friday, March 8, 2013 6:42 AM
  • Hi Lawrence,

    If we have 10 nodes, we need to do that on each nodes ?

    regards,

    Giuseppe

    Wednesday, June 19, 2013 10:51 AM
  • You can implement this via GPO actually. You will have to backup the GPO that defines the policy, manually edit the backed up GPO files with the well-known SID of this group, and import the settings into your GPO.

    Here are the steps required:

    1. If you already define "logon as a service" rights via GPO, locate the applicable GPO.

      If not, you will have to create one.  The setting to be defined is Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a service.  Edit the new GPO and set this policy to be defined.
    2. Next you will have to backup the GPO.
      Right click the Group Policy Objects folder listed under your domain in gpmc.msc, click "Back Up..." and select a folder to save the GPO to.
    3. Open the folder containing the GPO you backed up, it will have a sub folder named with a random GUID.  Navigate down through the <GUID> folder following the path: <GUID>\DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit.
    4. Open the GptTmpl.ini file in notepad.
    5. Look for the line that starts with "SeServiceLogonRight =", this is the line we need to edit.

      Add '*S-1-5-83-0' to the right side of the "=" operator.  Place a comma between this SID and any others already in that line or any other groups/SIDs you need to assign logon as a service rights to.
    6. Locate the GPO in the Group policy Objects folder, right click on it and select "Import Settings," navigate to the parent folder where you backed the GPO up to, IE: the folder 1 level above the <GUID> folder referenced in step 3.
    7. Finish the GPO import.  Using a migration table should not be necessary if you backup, edit the file, and import settings all on the same machine without additional edits.
    8. Here is a quick example of what the minimal config should look like (yours may have additional SIDs or policies included in the GptTmpl.ini file) :

      [Unicode]
      Unicode=yes
      [Version]
      signature="$CHICAGO$"
      Revision=1
      [Privilege Rights]
      SeServiceLogonRight = *S-1-5-83-0

    After a successful import, make sure you update your group policy before trying to create/start a VM.

    Mark Taylor (O365)



    Friday, November 15, 2013 1:19 AM
  • This last tip work perfectly for me, the special "hiden group" is now well present in my domain GPO.

    I precedently add a local group VM_Machine in wich i import, with a manual cmd "net local group.../add" the spécial group" NT virtuel machine..."

    Hops tomorrow VM restart without error...

    A.Raynal

    Friday, November 15, 2013 11:13 AM
  • Worked like a charm. Thanks Mark!
    Wednesday, April 23, 2014 2:20 PM
  • Thank you for finding this.  Microsoft really needs to fix their account selection dialog boxes to include these special accounts.  Special account selection has been broken for years.
    Saturday, October 1, 2016 3:32 PM
  • Works so flawlessly n perfect. Many thx Mark, yo tha man...
    Saturday, January 28, 2017 3:02 PM
  • Good stuff.. This is exactly what I needed on Server 2016 with Hyper-V... There was an existing GP that was overriding the defaults.. I know its an old post, but still relevant.

    Thanks!

    Wednesday, May 17, 2017 6:05 PM
  • Mark, 

    I did this, but I am still not seeing these local groups when trying to add them to the Log on a service right from the domain GPO. I have tried the Advanced find selecting the Entire Directory with all Object Types selected. What am I missing?

    Thank you, 

    Krista

    Thursday, March 29, 2018 4:19 PM
  • You can also edit the policy directly, as it's stored at the following path: "%logonserver%\sysvol\[your domain]\Policies\[your service account GPO GUID]\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf"

    Replace the relevant parts with your domain and your GUID, as appropriate, of course.

    Monday, June 25, 2018 10:21 PM
  • Thank you! Your Post helped me to fix the HyperV Cluster again. After this, all my VMs could be moved again.

    Wednesday, September 19, 2018 2:29 PM
  • I just ran into the same issue. None of the above text edits are needed.  The issue is that the machine that you are running the GP Editor on does not have Hyper-V installed on it.  If you install Hyper-V, the special group is created on that machine. At this point, you can type it into the selection boxes in GP Editor and it will be accepted.

    It seems that "NT Virtual Machine\Virtual Machines" account is only locally defined and is not a part of AD, so not available to be resolved without Hyper-V's presence on the system.

    The other option, would be to just run GP Editor on a Hyper-V host system, if you don't want to install Hyper-V just to get the group created.

    • Proposed as answer by cryptonym Thursday, February 7, 2019 3:02 PM
    Thursday, February 7, 2019 2:56 PM