When installing any role or feature on Windows Server 2016, an error appears that the server requires a restart: “The request to add or remove features on the specified server failed. The operation cannot be completed, because the server that you specified requires a restart
”. Ok, we restart our server and try to install a role again. The same error appears. And so it goes repeatedly .
As a result, we cannot install or remove any of the roles/features on Windows Server even after restarting the server and installing the latest updates.
The server event log (Event Viewer -> Windows Logs -> System) shows an error with the EventID 7041 and Service Control Manager as a source. The event description says:
This service account does not have the required user right "Log on as a service".
To solve the problem, you must grant the logon as a service permissions to “NT SERVICE\ALL SERVICES
” (and NT SERVICE\MSSQL$MICROSOFT##WID
, if the error is related to the installation of the WSUS role or SQL Server role).
- Open the Local Group Policy Editor:
gpedit.msc
- Go to Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> User Rights Assignment;
- Find the Log on as a service policy;
- As you can see, there is no
NT SERVICE\ALL SERVICES
in this policy. Let’s try to add it: Add User or Group -> NT SERVICE\ALL SERVICES. An error occurs: name not found.
How can you add a service account to a local policy? The only possible way I could find to grant the “Log on as a service” permissions to NT SERVICE\ALL SERVICES is to use the ntrights.exe tool (from the old Windows Server 2003 Resource Kit).
Download and install the Server 2003 Resource Kit (rktools.exe), then grant the SeServiceLogonRight permission using these commands in the elevated command prompt:
cd “C:\Program Files (x86)\Windows Resource Kits\Tools”
ntrights.exe +r SeServiceLogonRight -u “NT SERVICE\ALL SERVICES”
Granting SeServiceLogonRight to NT SERVICE\ALL SERVICES ... successful
If there is no NETWORK SERVICE in the current permissions list, add this account as well. If necessary, add the permissions for NT SERVICE\MSSQL$MICROSOFT##WID in the same way:
ntrights.exe +r SeServiceLogonRight -u “NT SERVICE\MSSQL$MICROSOFT##WID”
Make sure that NT SERVICE\ALL SERVICES has appeared in the “Log on as a service” permissions in the Group Policy Editor console.
Restart your Windows Server and try to install/remove a role again. No errors should appear.