According to Microsoft NT Virtual Machine\Virtual Machines is a “special identity” new to Hyper-v 2012. However if this “special identity” loses the log on as a service right your VMs will receive one of these errors when you try to start or move them:
- Error 0×80070569 (‘VM_NAME’ failed to start worker process: Logon Failure: The user has not been granted the requested logon type at this computer.)
- Failed to create Planned Virtual Machine at migration destination: Logon failure: the user has not been granted the requested logon type at this computer. (0×80070569)
It appears that if there is a group policy being applied to a hypervisor that has the log on as a service
settings populated at some point, and I haven’t figured out when NT Virtual Machine\virtual machines
identity will get disappear. Microsoft provides a list of 3 possible workarounds if you run into this problem. They also note that “Microsoft is currently investigating this issue to determine a root cause.” Here is the link
to the proposed workarounds.
None of these “workarounds” are very appealing for a production network.
I don’t believe running gpupdate /force every time you need to reboot or move a VM can be seriously entertained as a long term fix.(however if in a pinch and you just need to restart your VM this will do it)
The second workaround states “Edit the policy to include NT Virtual Machine\Virtual Machines in the entries for log on as a Service this is more difficult than it sounds because NT Virtual Machine\Virtual Machines is a “special identity” only found in Server 2012/Windows8 (with hyper-v role) , you can not just add it though the GPMC on a Server 2008 domain controller as it did not exist in Server 2008.
The third workaround is to set up a windows 8 machine, install RSAT and the client Hyper-v role , this should work but i think I have a better solution below…
In the last section of this article it states that the best practice for a hyper-v host is to only apply GPOs with settings that apply specifically to hyper-v. This is great if you can get the go ahead, I however could not.
Here are the steps I took to get the NT Virtual Machine\Virtual Machines “special identity” to always appear in the log on as a service user rights on my hyper-v 2012 nodes :
I identified the group policy (ex. user_rightGP) being applied to my hyper-v nodes where I wanted to add NT Virtual Machine\Virtual Machines to the log on as a service user right.
On a hyper-v 2012 node w/GUI:
- Run RSOP on the selected hyper-v node
- In the RSOP window, right-click Computer Configuration and select properties
- On the general tab highlight the GPO (ex. user_rightGP) where your going to add the “special identity” (NT Virtual Machine\Virtual Machines)
- With that policy (ex. user_rightGP) highlighted selected, hit the edit button in the bottom right of the screen.
- At the local group policy editor window browse to the log on as a service setting (Computer configuration – Windows settings - Security settings – Local policies – User rights assignment)
- Double click and then “add users or group” (from the hyper-v node you can added theNT Virtual Machine\Virtual Machines special group and it will resolve (you can only add this group to a GPO if you are doing it from a machine that has the hyper-v role installed)
- Once the “special identity” is listed hit ok.
- Hit ok again and then close to exit the policy.
Once these steps are complete you can open GPMC wherever you have it installed:
- Open GPMC and find the policy modified
- Browse to the logon as a service setting
- The NT virtual machine\virtual machines account will not be displayed. Instead you will see this S-1-5-83-0 (this is because the NT Virtual Machine “special identity” is local to hyper-v 2012 nodes)
To confirm that the GPO is now adding the NT Virtual Machine\Virtual Machines identity to all your hyper-v 2012 nodes you can do the following (after group policy has been updated on your hypervisors, 90min +-30 by default):
On a hyper-v 2012 node w/GUI:
- Run RSOP
- In the RSOP window right-click the computer name in top left of the RSOP screen and select change query
- At the Computer configuration selection screen select another computer and enter the name of one of your other (non-GUI) hyper-v nodes then hit next
- At the user selection screen select do not display user policy…..” (login as a service is a computer config)
- Hit next twice, then finish
Once the results have been generated browse to the log on as a service user setting to see that NT virtual machine\Virtual machines is being applied by the group policy to all your hyper-v 2012 nodes.
Good night and good luck!!!