Windows Server

Unable to Add/Remove Role: Windows Server Requires Restart

By March 10, 2021April 30th, 2021No Comments

When installing any role or feature on Windows Server 2016, an error appears that the server requires a restart: “The request to add or remove features on the specified server failed. The operation cannot be completed, because the server that you specified requires a restart”. Ok, we restart our server and try to install a role again. The same error appears. And so it goes repeatedly .

Windows Server Feature Installation error "The request to add or remove features on the specified server failed, because the server requires a restart"

As a result, we cannot install or remove any of the roles/features on Windows Server even after restarting the server and installing the latest updates.

The server event log (Event Viewer -> Windows Logs -> System) shows an error with the EventID 7041 and Service Control Manager as a source. The event description says:

This service account does not have the required user right "Log on as a service".

To solve the problem, you must grant the logon as a service permissions to “NT SERVICE\ALL SERVICES” (and NT SERVICE\MSSQL$MICROSOFT##WID, if the error is related to the installation of the WSUS role or SQL Server role).

  1. Open the Local Group Policy Editor: gpedit.msc
  2. Go to Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> User Rights Assignment;
  3. Find the Log on as a service policy;
  4. As you can see, there is no NT SERVICE\ALL SERVICES in this policy. Let’s try to add it: Add User or Group -> NT SERVICE\ALL SERVICES. An error occurs: name not found.
    gpo - NT SERVICE\ALL SERVICE name not found

How can you add a service account to a local policy? The only possible way I could find to grant the “Log on as a service” permissions to NT SERVICE\ALL SERVICES is to use the ntrights.exe tool (from the old Windows Server 2003 Resource Kit).

Download and install the Server 2003 Resource Kit (rktools.exe), then grant the SeServiceLogonRight permission using these commands in the elevated command prompt:

cd “C:\Program Files (x86)\Windows Resource Kits\Tools”
ntrights.exe +r SeServiceLogonRight -u “NT SERVICE\ALL SERVICES”

Granting SeServiceLogonRight to NT SERVICE\ALL SERVICES ... successful
ntrights.exe SeServiceLogonRight to NT SERVICE\ALL SERVICES

If there is no NETWORK SERVICE in the current permissions list, add this account as well. If necessary, add the permissions for NT SERVICE\MSSQL$MICROSOFT##WID in the same way:

ntrights.exe +r SeServiceLogonRight -u “NT SERVICE\MSSQL$MICROSOFT##WID”

Make sure that NT SERVICE\ALL SERVICES has appeared in the “Log on as a service” permissions in the Group Policy Editor console.

Log on as a service local policy

Restart your Windows Server and try to install/remove a role again. No errors should appear.

Leave a Reply