When installing any role or feature on Windows Server 2016, an error appears that the server requires a restart: “The request to add or remove features on the specified server failed. The operation cannot be completed, because the server that you specified requires a restart”. OK, we restart our server and try to install a role again. The same error appears. And so it goes repeatedly .
As a result, we cannot install or remove any of the roles/features on Windows Server even after restarting the server and installing the latest updates.
The server event log (Event Viewer -> Windows Logs -> System) shows an error with the EventID 7041 and Service Control Manager as a source. The event description says:
This service account does not have the required user right "Log on as a service".
To solve the problem, you must grant the logon as a service permissions to “NT SERVICE\ALL SERVICES” (and NT SERVICE\MSSQL$MICROSOFT##WID, if the error is related to the installation of the WSUS role or SQL Server role).
- Open the Local Group Policy Editor:
gpedit.msc - Go to Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> User Rights Assignment;
- Find the Log on as a service policy;
- As you can see, there is no
NT SERVICE\ALL SERVICESin this policy. Let’s try to add it: Add User or Group -> NT SERVICE\ALL SERVICES. An error occurs: name not found.
How can you add a service account to a local policy? The only possible way I could find to grant the “Log on as a service” permissions to NT SERVICE\ALL SERVICES is to use the ntrights.exe tool (from the old Windows Server 2003 Resource Kit).
Download and install the Server 2003 Resource Kit (rktools.exe), then grant the SeServiceLogonRight permission using these commands in the elevated command prompt:
cd “C:\Program Files (x86)\Windows Resource Kits\Tools”
ntrights.exe +r SeServiceLogonRight -u “NT SERVICE\ALL SERVICES”
Granting SeServiceLogonRight to NT SERVICE\ALL SERVICES ... successful
ntrights.exe +r SeServiceLogonRight -u “NT SERVICE\MSSQL$MICROSOFT##WID”
Make sure that NT SERVICE\ALL SERVICES has appeared in the “Log on as a service” permissions in the Group Policy Editor console.
Restart your Windows Server and try to install/remove a role again. No errors should appear.
9 comments
Good day.
Do you perhaps have a working link for the Windows Server 2003 Resource Kit?
I have scoured the internet with no luck of finding it
Try this: http://pub.agrarix.net/Windows/Windows%20Server%202003%20Resource%20Kit%20Tools/
I love using ntrights, as it’s from MS… but it’s not included anywhere any more, to my knowledge.
And I can’t believe how monumentally crippled Powershell seems to be in trying to add something like a privilege to a user.
Thanks for the article. Saved me from a major headache.
It´s a security risk but you could add “everyone” , I did it and solve my problem without ntrights tool.
Hi… I did this but it did not work…. I even tried my mans suggestion above me….
This article worked for me, great job and a great find as most posts on other sites only state (over and over again) to uninstall/re-install WSUS and if that didn’t work you did those steps wrong. Good Article, thanks!
BTW – I found the Kit here : https://gist.github.com/eyecatchup/0107bab3d92473cb8a3d3547848fc442
I’m on Windows Server 2022 and got this error, but NT SERVICE\ALL SERVICES was already in the policy.
Do you have any Idee i have Same Problem