It’s been a while since I upgraded an old version of vCenter Server to 6.0 and I totally forgot about the error that pops up about NT Service\All Services not having Log on as a Service rights….. I was actually going to blog about this when I encountered the error at the start of the year, but it totally slipped my mind…. I think I need to start keeping a list of things I have to blog about (old age)!
Starting from vCenter Server 6.0 for Windows, virtual accounts replaced the Local Service Accounts used to run the vCenter Server Services. This decision was taken to improve security within a Windows OS by ensuring that any compromised accounts or services would not be able to access other services that use the same account – it places all services in their own silo with their own accounts. Even when a user gains access to a single virtual account, they are limited only to the functionality of that account and also limited to only that single service.
For more information about the new virtual accounts, point your browser to VMware’s KB: https://kb.vmware.com/kb/2124709
As the Windows VM that I was upgrading vCenter Server is attached to an AD domain, I decided to amend the group policy on the domain controller.
- Open up Group Policy Manager, and edit the “Default Domain Policy”
- Navigate down to “Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->User Rights Assignment”
- Edit the “Log on as a service” properties and ensure the box next to “Define these policy settings:” is ticked. Click “Add User or Group” and enter “NT SERVICE\ALL SERVICES”.
- Force an update to the local GPO by going to command prompt and type “gpupdate /force” to update the policy.
- Now update the Windows VM that has vCenter Server installed by opening up a command prompt and running the same “gpupdate /force” command.
- Continue with the vCenter Server upgrade/install.
More info on the Log on as a service can be found at the following Microsoft Technet articles: