Failed to get token for NT AUTHORITY\SYSTEM required for become as a service account or an account without a password

Vijay Varma 96 Reputation points
2021-04-15T13:37:15.963+00:00

We are trying to install patches from Ansible on Windows servers and it used to work fine well, but recently few changes happened from AD or GPO which is causing the below error while executing the Windows updates script from Ansible.

"Failed to get token for NT AUTHORITY\SYSTEM required for become as a service account or an account without a password" ---> System.Exception: Failed to get token for NT AUTHORITY\SYSTEM required for become as a service account or an account without a password

"msg": "internal error: failed to become user 'SYSTEM': Exception calling \"CreateProcessAsUser\" with \"9\" argument(s): \"Failed to get token for NT AUTHORITY\SYSTEM required for become as a service account or an account without a password\""

Strangely we were able to do on few servers and few not, so not able to find what settings actually causing the issue.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
8,159 questions
Windows Group Policy
Windows Group Policy
A feature of Windows that enables policy-based administration using Active Directory.
1,871 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
4,619 questions
No comments
{count} votes

Accepted answer
  1. Vijay Varma 96 Reputation points
    2021-04-16T15:53:41.983+00:00

    it is issue with SeDebugPrivilage for the users. It is disabled as new Group policy removed users and groups from Windows settings -- security settings -- local policies -- user rights assignment -- debug programs

    whoami /priv will show the SeDebugPrivilage for user that used to run script and it should be enabled.

    No comments

3 additional answers

Sort by: Most helpful
  1. Dave Patrick 329.1K Reputation points Microsoft MVP
    2021-04-15T13:43:33.687+00:00

    error while executing the Windows updates script from Ansible

    The developer will be your best resource for troubleshooting, or also try asking in their own forums.
    https://www.ansible.com/community?extIdCarryOver=true&sc_cid=701f2000001OH7YAAW

    --please don't forget to Accept as answer if the reply is helpful--


  2. Dave Patrick 329.1K Reputation points Microsoft MVP
    2021-04-15T14:21:17.747+00:00

    Might try downloading here and manual install as a test.
    https://www.catalog.update.microsoft.com/

    --please don't forget to Accept as answer if the reply is helpful--


  3. Dave Patrick 329.1K Reputation points Microsoft MVP
    2021-04-15T14:38:56.55+00:00

    Only the developer knows their own in house developed process. They should be in the best position to debug the process.

    BTW it looks like you're not alone.
    https://learn.microsoft.com/en-us/answers/questions/276349/assign-34system34-rights-to-domain-user-id-on-wind.html

    --please don't forget to Accept as answer if the reply is helpful--