Hyper-v 2012 – Logon failure errors and fix

According to Microsoft NT Virtual Machine\Virtual Machines is a “special identity” new to Hyper-v 2012. However if this “special identity” loses the log on as a service right your VMs will receive one of these errors when you try to start or move them:
  • Error 0x80070569 (‘VM_NAME’ failed to start worker process: Logon Failure: The user has not been granted the requested logon type at this computer.)
  • Failed to create Planned Virtual Machine at migration destination: Logon failure: the user has not been granted the requested logon type at this computer. (0x80070569)
It appears that if there is a group policy being applied to a hypervisor that has the log on as a service settings populated at some point, and I haven’t figured out when NT Virtual Machine\virtual machines identity will get disappear. Microsoft provides a list of 3 possible workarounds if you run into this problem. They also note that “Microsoft is currently investigating this issue to determine a root cause.” Here is the link to the proposed workarounds.
None of these “workarounds” are very appealing for a production network.
Method 1:
I don’t believe running gpupdate /force every time you need to reboot or move a VM can be seriously entertained as a long term fix.(however if in a pinch and you just need to restart your VM this will do it)
Method 2:
The second workaround states “Edit the policy to include NT Virtual Machine\Virtual Machines in the entries for log on as a Service this is more difficult than it sounds because NT Virtual Machine\Virtual Machines is a “special identity” only found in Server 2012/Windows8 (with hyper-v role) , you can not just add it though the GPMC on a Server 2008 domain controller as it did not exist in Server 2008.
Method 3:
The third workaround is to set up a windows 8 machine, install RSAT and the client Hyper-v role , this should work but i think I have a better solution below…
In the last section of this article it states that the best practice for a hyper-v host is to only apply GPOs with settings that apply specifically to hyper-v. This is great if you can get the go ahead, I however could not.
Here are the steps I took to get the NT Virtual Machine\Virtual Machines “special identity” to always appear in the log on as a service user rights on my hyper-v 2012 nodes :
I identified the group policy (ex. user_rightGP) being applied to my hyper-v nodes where I wanted to add NT Virtual Machine\Virtual Machines to the log on as a service user right.
On a hyper-v 2012 node w/GUI:
  • Run RSOP on the selected hyper-v node
  • In the RSOP window, right-click Computer Configuration and select properties
  • On the general tab highlight the GPO (ex. user_rightGP) where your going to add the “special identity” (NT Virtual Machine\Virtual Machines)
  • With that policy (ex. user_rightGP) highlighted selected, hit the edit button in the bottom right of the screen.
  • At the local group policy editor window browse to the log on as a service setting (Computer configuration – Windows settings – Security settings – Local policies – User rights assignment)
  • Double click and then “add users or group” (from the hyper-v node you can added theNT Virtual Machine\Virtual Machines special group and it will resolve (you can only add this group to a GPO if you are doing it from a machine that has the hyper-v role installed)
  • Once the “special identity” is listed hit ok.
  • Hit ok again and then close to exit the policy.
Once these steps are complete you can open GPMC wherever you have it installed:
  • Open GPMC and find the policy modified
  • Browse to the logon as a service setting
  • The NT virtual machine\virtual machines account will not be displayed. Instead you will see this S-1-5-83-0 (this is because the NT Virtual Machine “special identity” is local to hyper-v 2012 nodes) 
To confirm that the GPO is now adding the NT Virtual Machine\Virtual Machines identity to all your hyper-v 2012 nodes you can do the following (after group policy has been updated on your hypervisors, 90min +-30 by default):
On a hyper-v 2012 node w/GUI:
  • Run RSOP
  • In the  RSOP window right-click the computer name in top left of the RSOP screen and select change query
  • At the Computer configuration selection screen select another computer and enter the name of one of your other (non-GUI) hyper-v nodes then hit next
  • At the user selection screen select do not display user policy…..” (login as a service is a computer config)
  • Hit next twice, then finish

Once the results have been generated browse to the log on as a service user setting to see that NT virtual machine\Virtual machines is being applied by the group policy to all your hyper-v 2012 nodes.

Good night and good luck!!!

9 thoughts on “Hyper-v 2012 – Logon failure errors and fix

  1. Pingback: Solving Hyper-V Error 0×80070569 on Windows 8 / 8.1 and Server 2012 | SAN | schausberger.cc

  2. This is great but what if I’m running Microsoft Hyper-v 2012 with no GUI… None of Microsoft options are working for me (Except gpupdate /force). Thanks anyway..

    • You will need to load a VM or laptop with windows 8/server 2012 and then load the management tools . Windows 7 version of Failover-Cluster manager and hyper-v manager don’t provide all capabilities. Gpupdate /force is not a permanent solution and the issue will reappear. How are you currently managing your none GUI nodes?

    • Tom,

      If building a 2012 vm is not something you want to do, you could put all Hyper-v 2012 non GUIs nodes in their own OU and then block inheritance of all GPOs. In my experience the problem was due to the fact that a GPO was granting new security groups to the “login as a service” right (and after an unidentified amount of time the NT Virtual Machine\Virtual Machine special identity was removed). If you place all the Hyper-v 2012 nodes in their own OU and then blocked inheritance you could then apply only GPOs that don’t contain the “login as a server” right. This would still allow you to apply some policies to the hyper-v nodes, just not the policies that contained the “login as a service” right. The reason that a gpupdate /force is working for you is because whenever gpupdate /force is processed the NT virtual machine\virtual machines special identity is re-added to the “login as a service” right. Hope this helps and thanks for your feedback.

      • Thanks for the reply. Yes, I have them already separated and GPO is blocked. Still no good. I installed a new cluster with the R2 version but Microsoft has not fixed this yet. The next thing I’m going to try is either load another full blown Hyper-V 2012R2 and then update the GPO to allow the Virtual Machine\Virtual Machines to log on as a service. I think this should fix it. This is an environment that started with SBS 2000 upgrade to SBS 2003 then SBS 2008 and now Essentials 2012. Some old entries in the gpo or environment is not liking the Hyper-V… The good news is that everything else is working perfectly. I’ll update this post of the results.

      • Yes, It would be great if you could give an update after you implement 2012 with GUI. I think that will resolve your issue. Thanks for your feedback and good luck!

  3. I know this is an old thread…but i was having the same issues. I moved the HyperV in question to it’s own OU, blocked inheritance, for good measure i restarted the HyperV mgt service, ran GPupdate /force…..and…..then all was good. VMs were able to start again.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s