“Log on as a service” user right to “NT SERVICE\ALL SERVICES ” 


SQL Server will not start and the error says The user group “NT SERVICE/ALL SERVICES” does not have a log on as a service user right as shown below:



 In an effort to increase the security of WindowsServer Microsoft Update has replaced the use of local service account in Some Windows Servers GPO's by resetting the deafult domain policy. In simple this would disable local service accounts for every service which would limit the vulnerability to a particular service in the event of a particular account being compromised.

But how do we assign that user right ?


Assuming that the Windows Server is a member of a domain, the answer would be to edit the group policy on domain controller and update it. This is how it is done.

  1. First login to the DC machine
  2. Open RUN and type mmc and press enter
  3. I would open a console, click on Add or Remove snap-in from the File menu
  4. In Add or Remove snap-in window, select Group Policy Management Editor, click add.
  5. Click browse on the group policy wizard and select Default domain Policy, click OK.
  6. Click Finish and then OK.



  1. Go to Default Domain Policy>Computer Configuration>Policies>Windows Settings>Security Settings>Local Policies>User Rights Assignments.



  1. Right Click on Log on as a service, Select properties.
  2. In the properties window, select Define these policy settings check box and click on Add User or Groupbutton.
  3. Type NT SERVICE/ALL SERVICES and click OK.



  1. Now go to command prompt and type gpupdate/force to update the policy.
  2. Also enforce the updated group policy on the proposed vCenter machine too by performing gpupdate/force over command prompt.