Recently, I worked on the below issue and though this might be worth to blog:
On a Hyper-V Server, existing VMs where running just fine, however, we could not create new VMs. The error at the final stage of the Wizard was:
The server encountered an error while creating “Name of the VM”The operation failedFailed to create external configuration store at <Path to the VM>: A required privilege is not held by the client. (Virtual machine ID 0x80070522)
As it turned out, the Virtual Machine Management Server was not able to create a symbolic link for the machine at "%systemdrive%\programdata\Microsoft\Windows\Hyper-V\Virtual Machines"
By default the local User Right “Create Symbolic links” is assigned to the Adminstrators group. Once you install Hyper-V a extension is installed on this machine that allows Service SIDs to be used and the Service SID “Virtual Machines” is allowed to “Create Symbolic links”
Now, you might have the requirement to configure the User Right “Create Symbolic links” with a Domain GPO. Once configured it replaces the local assignment, and for Hyper-V Hosts you'd need to add the “Virtual Machines” Service SID. The Domain Controller is most likely not a Hyper-V Host, and does not have the necessary Hyper-V extension. Also the GPO Admin tools will not allow you to browse the Service SID namespace. Simply adding the string “Virtual Machines” does not help either as it needs to have the Hyper-V Service SID Prefix “NT VIRTUAL MACHINES”.
To get the necessary Service SID added, you need to edit the GptTmpl.inf that is associated with the GPO on the Sysvol directly. [You need to locate the correct GptTmp.inf by the GPO's Unique ID]
Example with Administrators and added “Virtual Machines”
….[Privilege Rights]SeCreateSymbolicLinkPrivilege = *S-1-5-32-544, NT Virtual Machine\Virtual Machines…
That's all and well, except that this privilege can't be applied via Group Policy (the resultant setting is "Virtual Machines" instead of " NT Virtual Machine\Virtual Machines" - i.e. the Group Policy extension does not understand the "NT Virtual Machine" authority).
Is there any way to edit that in the Local Security Policy? On a Hyper-V host, I granted someone the Create Symbolic Links user right, which destroyed the Virtual Machines SID from that user right, and now that host is broken in Hyper-V sense.
I don´t get this work. vmm says same error