This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 28.999999999999996%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKA%3C/text%3E%3C/svg%3E)
Hi
So we have recently implemented(defined specific accounts) the default domain level policy of Logon on as as service.
Problem now is certain Hyper-V actions(Create a new machine) will fail with error - Logon failure: the user has no been granted the rights etc...)
On Investigation the 'NT VIRTUAL MACHINE\Virtual Machines' account needs to added to the Logon on as a Service policy.
However this can only be done by editing the Domain group policy on the Hyper-V host as this is only place account exists(have tried from DC).
The problem I have is that suggested fic requires the GP editor to run on the Hyper-V hosts, which I can't do as the server is headless. https://learn.microsoft.com/en-US/troubleshoot/windows-server/virtualization/starting-or-live-migrating-hyper-v-vms-fails#workaround
Method 1 is to move the hyper-V machine to its own org unit, but that is my last resort, so can the above methods be done through powershell etc...? P.S. its just me or is Windows Headless implementation halve baked, always seem to be getting caught with stuff like this, where you just can't do what you could if it had full GUI. I.E. Process/Resource monitoring tools require gui
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi @kivers@avaeon.com Thank you for your feedback. I will add the solution as a comment to be able to validate it and close this thread. Please don't forget to accept helpful answer
OK I solved this in the mean time. It occurred to me the "NT VIRTUAL MACHINE\Virtual Machines" might be a generic group and it wouldn't have to be added directly from that specific headless hyper-V server.
So given my own local windows 11 installation was running hyper-V, I was able to download the RSAT(Remote Server Administration Tools) tools.
Logon as a domain admin -> Windows Tools -> Group Policy Editor and edit the Logon as service policy.
There's a gotcha on the final step though, I was trying to find the group on the local machine (I could see it listed through powershell), but it wouldn't find it, no mater what combination of objects you search.
However I remembered you can just edit the policy in plain text, so added the "NT VIRTUAL MACHINE\Virtual Machines" account and it added successfully(This plain text edit will not work on the DC).
Once I ran Gpudate on the affected hyper-V server, I could then create a machine.
If you view the policy now on the DC, it will just show a user sid in place of the NT VIRTUAL MACHINE\Virtual Machines account.
So all good.
BTW: the original solution and the above are pure hacksville, come on MS you can do better!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 19%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDL%3C/text%3E%3C/svg%3E)
Do a backup of the Group Policy and use a text editor to add "*S-1-5-83-0" to the log-on as a service policy. You'll find the text in a .inf file. Drill down into the backup, and you'll find it. Then import it back as the settings for the GPO. You don't need to use a table when it asks. You must do this backup/import from the Group Policy Manager in the home folder for all Group Policies.