During the installation of windows vCenter 6.0 be it a Platform Services Controller or vCenter Server machine, at the very beginning of installation one might encounter a pop-up warning stating that: The user group “NT SERVICE/ALL SERVICES” does not have a log on as a service user right as shown below:
In an effort to increase the security of the vCenter Server, starting from vSphere 6.0 VMware has replaced the use of local service account in vCenter Server with multiple virtual account. In simple terms a virtual account for every service which would limit the vulnerability to a particular service in the event of a particular account being compromised. For more information Please refer to VMmware KB 2124709.
But how do we assign that user right ?
Assuming that vCenter is a member of a domain, the answer would be to edit the group policy on domain controller and update it. Let’s see how it is done.
- First login to the DC machine
- Open RUN and type mmc and press enter
- I would open a console, click on Add or Remove snap-in from the File menu
- In Add or Remove snap-in window, select Group Policy Management Editor, click add.
- Click browse on the group policy wizard and select Default domain Policy, click OK.
- Click Finish and then OK.
- Go to Default Domain Policy>Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>User Rights Assignments.
- Right Click on Log on as a service, Select properties.
- In the properties window, select Define these policy settings check box and click on Add User or Group button.
- Type NT SERVICE/ALL SERVICES and click OK.
- Now go to command prompt and type gpupdate/force to update the policy.
- Also enforce the updated group policy on the proposed vCenter machine too by performing gpupdate/force over command prompt.
Note: vCenter would also requires log on as a service user right for the account that would be used for vcenter installation as well as the SYSTEM, etc,.