“Unable to Add/Remove Role: Windows Server Requires Restart” – Fix it now

By Tech-Assured     
January 27, 2021  3530 Views


Webmasters have come across several Server related issues.

Let’s see the possible causes and fixes to it.

While installing any role or feature on Windows server if you get an error that the server requires a restart and we still get the same error after the restart,

The server event log (Event Viewer -> Windows Logs -> System) shows an error with the EventID 7041 and Service Control Manager as a source. The event description says:

This service account does not have the required user right “Log on as a service”.


Grant the log on as a service permission to “NT SERVICE\ALL SERVICES”.

If the error is related to the installation of the WSUS role or SQL Server role, then you must grant the log on as a service permission to “NT SERVICE\MSSQL$MICROSOFT##WID


  1. Open the Local Group Policy Editor: gpedit.msc
  2. Go to Computer Configuration –> Windows Settings –> Security Settings –> Local Policies –> User Rights Assignment;
  3. Find the Log on as a service policy;

Now if you see that there is no NT SERVICE\ALL SERVICES in this policy. Let’s try to add it: Add User or Group -> NT SERVICE\ALL SERVICES.

Steps to add a service account to a local policy

The only possible way you can grant the “Log on as a service” permissions to NT SERVICE\ALL SERVICES is to use the ntrights.exe tool (from the old Windows Server 2003 Resource Kit).

Download and install the Server 2003 Resource Kit (rktools.exe), then grant the SeServiceLogonRight permission using these commands in the elevated command prompt:

cd “C:\Program Files (x86)\Windows Resource Kits\Tools”
ntrights.exe +r SeServiceLogonRight -u “NT SERVICE\ALL SERVICES”

If the steps are followed correctly you will see the following message:

Granting SeServiceLogonRight to NT SERVICE\ALL SERVICES … successful

If there is no NETWORK SERVICE in the current permissions list, add this account as well. If necessary, add the permissions for NT SERVICE\MSSQL$MICROSOFT##WID in the same way:

ntrights.exe +r SeServiceLogonRight -u “NT SERVICE\MSSQL$MICROSOFT##WID”

Make sure that NT SERVICE\ALL SERVICES has appeared in the “Log on as a service” permissions in the Group Policy Editor console.

Restart your Windows Server and try to install/remove a role again. Issue RESOLVED

In this way, our Support Engineers will always have a solution for all Server related issues.

Tech-Assured can help you deploy best IT practices and mitigate risks with a fully compliant IT framework.

Enlink Clients