"Failed to save Local Policy Database" while granting any privilege to SQL Service SID in Group Policy Editor

When you try to grant any privilege to SQL Server Service SID using Group Policy Editor in Windows 2008, you might get this error:

An extended error has occurred.
Failed to save Local Policy Database.

This happens only when you try to add virtual accounts like



to grant certain privileges like Act as part of the operating system, Increase quotas, replace process level token, Log on as a batch job to the SQL Server Service SID and SQL Server Agent Service SID.

Granting privileges to Service SID was introduced in SQL Server 2008 since it was a pain in SQL Server 2005 when somebody accidentaly deleted the domain or local groups created by SQL Server to which all the permissions were granted. Read more about this here http://msdn.microsoft.com/en-us/library/cc280562.aspx

This error is a known issue w.r.t Group Policy Editor since it was not able to handle these virtual accounts. Fix for this issue is available through Windows hotfix http://support.microsoft.com/kb/2491998

Workaround is to use the ntrights utility available as part of Windows 2003 Resource Kit. You can use the Windows 2003 version of ntrights to do this in Windows 2008 or simply apply the hotfix to take care of granting privileges to the virtual accounts in the group policy editor.

Sample syntax to grant "Replace process level token" to SQL Server Service SID & SQL Server Agent Service SID:

ntrights +r SeAssignPrimaryTokenPrivilege -u "NT SERVICE\MSSQLSERVER"
ntrights +r SeAssignPrimaryTokenPrivilege -u "NT SERVICE\SQLSERVERAGENT"

Check the link http://msdn.microsoft.com/en-us/library/windows/desktop/bb530716(v=vs.85).aspx for the complete list of privileges to Privilege Name mapping