“Log on as a service” user right to “NT SERVICE\ALL SERVICES ” for vCenter 6

During the installation of windows vCenter 6.0 be it a Platform Services Controller or  vCenter Server machine, at the very beginning of installation one might encounter a pop-up warning stating that: The user group “NT SERVICE/ALL SERVICES” does not have a log on as a service user right as shown below:

In an effort to increase the security of the vCenter Server, starting from vSphere 6.0 VMware has replaced the use of local service account in vCenter Server with multiple virtual account. In simple terms a virtual account for every service which would limit the vulnerability to a particular service in the event of a particular account being compromised. For more information Please refer to VMmware KB 2124709.

But how do we assign that user right ?

Assuming that vCenter is a member of a domain, the answer would be to edit the group policy on domain controller and update it. Let’s see how it is done.

  1. First login to the DC machine
  2. Open RUN and type mmc and press enter
  3. I would open a console, click on Add or Remove snap-in from the File menu
  4. In Add or Remove snap-in window, select Group Policy Management Editor, click add.
  5. Click browse on the group policy wizard and select Default domain Policy, click OK.
  6. Click Finish and then OK.
  7. Go to Default Domain Policy>Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>User Rights Assignments.
  8. Right Click on Log on as a service, Select properties.
  9. In the properties window, select Define these policy settings check box and click on Add User or Group button.
  10. Type NT SERVICE/ALL SERVICES and click OK.
  11. Now go to command prompt and type gpupdate/force to update the policy.
  12. Also enforce the updated group policy on the proposed vCenter machine too by performing gpupdate/force over command prompt.

That’s all

Note: vCenter would also requires log on as a service user right for the account that would be used for vcenter installation as well as the SYSTEM, etc,. 

 

Useful Resources:
1.  http://blogs.technet.com/b/canitpro/archive/2013/05/23/windows-server-2012-and-group-policy.aspx

2.  http://me.go-unified.com/ssign-log-on-as-a-service-user-rights-to-a-local-system-account-via-gpo-using-wmi-filters/

3.  http://www.itcrumbs.com/?p=265

 

17 thoughts on ““Log on as a service” user right to “NT SERVICE\ALL SERVICES ” for vCenter 6

  1. when i want to add user and group “NT Service/ALL Services” i get this error:

    User and group names may not contain any of the following character:
    ” / [ ] : | + = ; , ? , * \

    plz help …

  2. Re-read message from vCenter installer, it is NT SERVICE\ALL SERVICES, not NT SERVICE/ALL SERVICES

  3. Happens to me too…

    when i want to add user and group “NT Service/ALL Services” i get this error:

    User and group names may not contain any of the following character:
    ” / [ ] : | + = ; , ? , * \

    plz help …

  4. It’s actually a great and useful piece of information. I am glad that you shared this
    useful info with us. Please keep us up to date like this.
    Thanks for sharing.

  5. Thanks for your marvelous posting! I certainly enjoyed
    reading it, you are a great author.I will be sure to bookmark your blog and definitely will come back someday.
    I want to encourage continue your great writing, have a nice day!

  6. I needed to thank you for this fantastic read!!
    I definitely enjoyed every bit of it. I have got
    you bookmarked to look at new things you post…

  7. Your mode of explaining everything in this paragraph is in fact pleasant, every one be able to effortlessly be
    aware of it, Thanks a lot.

  8. great submit, very informative. I wonder why the opposite experts of this sector
    don’t realize this. You should continue your writing.

    I am sure, you’ve a great readers’ base already!

  9. This is really interesting, You are a very skilled blogger.

    I have joined your rss feed and look forward to seeking more of your
    excellent post. Also, I’ve shared your site in my social networks!

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*
Website