cheluto2
asked on
Can't run Scheduled Task with non-Admin
I have a domain account that I want to use to run a Scheduled Task. I have read several posts here regarding necessary permissions for an account to run a Scheduled Task on a Windows 2003 Server machine, and have applied the necessary permissions, but I still can't get it to work.
I get the following in the log:
-------------------------
"File Deployer Step 3.job" (3_BatchMoveToRs820VolStag
Unable to start task.
The specific error is:
0x80070005: Access is denied.
Try using the Task page Browse button to locate the application.
--------------------------
First off, if I add this acct to the Administrators group, everything runs fine. However, I don't want to do that. I added it to the Backup Operators group, which supposedly has enough rights, but nothing. The user has NTFS permissions to all the folders where the batch file resides, and everything else that the batch file "touches" or interacts with. I also used CACLS to grant permissions to the Tasks folder (Full Access), but to no avail. The user has the following User Rights assigned:
-Access this computer from the network (read somewhere it was needed)
-Allow log on locally
-Log on as a bacth job
-Log on as a service
I created this Task with another user (an Admin) and it runs fine using those credentials and while logged on as the admin user. However, when I change the credentials to the non-admin user's, I get the message above. If I log-in to the server with the non-admin account and run the task with the non-admin's credentials, it runs fine! But then when I go to look at the log later, I see the error above when it runs at the scheduled times.
Any ideas? Am I missing something? I've rebooted the machine after applying the user rights and all, with no results. Please help!
Thanks in advance!
I get the following in the log:
-------------------------
"File Deployer Step 3.job" (3_BatchMoveToRs820VolStag
Unable to start task.
The specific error is:
0x80070005: Access is denied.
Try using the Task page Browse button to locate the application.
--------------------------
First off, if I add this acct to the Administrators group, everything runs fine. However, I don't want to do that. I added it to the Backup Operators group, which supposedly has enough rights, but nothing. The user has NTFS permissions to all the folders where the batch file resides, and everything else that the batch file "touches" or interacts with. I also used CACLS to grant permissions to the Tasks folder (Full Access), but to no avail. The user has the following User Rights assigned:
-Access this computer from the network (read somewhere it was needed)
-Allow log on locally
-Log on as a bacth job
-Log on as a service
I created this Task with another user (an Admin) and it runs fine using those credentials and while logged on as the admin user. However, when I change the credentials to the non-admin user's, I get the message above. If I log-in to the server with the non-admin account and run the task with the non-admin's credentials, it runs fine! But then when I go to look at the log later, I see the error above when it runs at the scheduled times.
Any ideas? Am I missing something? I've rebooted the machine after applying the user rights and all, with no results. Please help!
Thanks in advance!
^ that's what i was thinking.
don't read my mind plz :)
ASKER
Yes. I forgot to mention that, but I did add that account to the list with the max permissions.
check the system log for an specific access denied message.
I see it'a a bat file, did you check file permissions on commands the bat is calling?
I see it'a a bat file, did you check file permissions on commands the bat is calling?
ASKER
No entries in the system log, and yes, the batch file has the right permissions, as well as the one command it executes, which is a call to WSFTP Pro using the command line. The user has Full Access to the WSFTP Pro folder as well as all other folders that I can see are used for it.
By the way, the Status in the Scheduled Tasks window reads "Could not start", so I get the feeling it is not even starting the job to even get to try to execute the command. Is this possible?
By the way, the Status in the Scheduled Tasks window reads "Could not start", so I get the feeling it is not even starting the job to even get to try to execute the command. Is this possible?
Ok, recheck plz at its properties on the task tab the "Run as" part: Verify the correct DOMANI\USERNAME and set the correct password.
Also: UNCHECK "Run only if logged on" check box and CHECK the enabled check box.
Also: UNCHECK "Run only if logged on" check box and CHECK the enabled check box.
ASKER
It's been checked and re-checked over and over. Also remember that if the credentials entered are incorrect you cannot save the changes to the task itself.
"Run only if logged on" is un-checked, "Enabled" is checked.
Permissions for the user in the Task are set to "Full Control"
"Run only if logged on" is un-checked, "Enabled" is checked.
Permissions for the user in the Task are set to "Full Control"
when is it scheduled to run?
ASKER
It's scheduled to run "Every 30 minutes from 6:07am for 16 hours every day"
Does it matter when it is scheduled to run?
I just created a new identical job (different name, of course) while logged in as this non-admin user, and am waiting to see if this one will run for some reason.
Does it matter when it is scheduled to run?
I just created a new identical job (different name, of course) while logged in as this non-admin user, and am waiting to see if this one will run for some reason.
A few differences, but not in your case.
Please tell us the results of using the new job.
You can try running a simple explorer command to discard any problem related to the bat file.
Please tell us the results of using the new job.
You can try running a simple explorer command to discard any problem related to the bat file.
ASKER
Ok, here's what I've found.
Even though the option that says "Run only if logged on" is un-checked, the job only runs successfully if that user is logged on. I logged on as that user to test the batch file, and it just happened to be I was logged in when the scheduled time came, and the command window poppped up while the task ran, and the log shows that it ran successfully (?!?!?)
So the user appears to have all the permissions, but if it is not logged on, the job does not run. And if I log in as another user and try to run it manually, it does not run either ("Could not start"). Any more ideas? This is a little frustrating. I am trying to understand why it works if I setup the user as an admin or if the user is logged in (even if not in the Admin group), but not otherwise. It sounds (and the error states it) like a permissions issue, but to what?
Even though the option that says "Run only if logged on" is un-checked, the job only runs successfully if that user is logged on. I logged on as that user to test the batch file, and it just happened to be I was logged in when the scheduled time came, and the command window poppped up while the task ran, and the log shows that it ran successfully (?!?!?)
So the user appears to have all the permissions, but if it is not logged on, the job does not run. And if I log in as another user and try to run it manually, it does not run either ("Could not start"). Any more ideas? This is a little frustrating. I am trying to understand why it works if I setup the user as an admin or if the user is logged in (even if not in the Admin group), but not otherwise. It sounds (and the error states it) like a permissions issue, but to what?
You set the "Log on as a bacth job" permission for the user, but sometimes it needs a restart to make it effective, did you restart te system after setting that permission?
ASKER
Yes. I restarted the server after I granted all those rights as per another article I found, but I will restart it again and see if I have any luck.
ASKER
I restarted the machine with no luck. I monitored the Security Event Log, and these are the entries recorded when I run the job manually while logged on as another user (an Admin), and the job is setup to run with the non-Admin user. The "*****" are the non-Admin user's ID and domain. Does anybody see any clues here?
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/12/2007
Time: 4:22:25 PM
User: ************
Computer: SW820VOLWQA01
Description:
Successful Logon:
User Name: ******
Domain: ******
Logon ID: (0x0,0x92200)
Logon Type: 4
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: SW820VOLWQA01
Logon GUID: {faf71e23-1cd4-b708-512b-a
Caller User Name: SW820VOLWQA01$
Caller Domain: LA
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 832
Transited Services: -
Source Network Address: -
Source Port: -
--------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 576
Date: 10/12/2007
Time: 4:22:25 PM
User: *********
Computer: *********
Description:
Special privileges assigned to new logon:
User Name: **********
Domain: **********
Logon ID: (0x0,0x92200)
Privileges: SeBackupPrivilege
SeRestorePrivilege
--------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 10/12/2007
Time: 4:22:25 PM
User: NT AUTHORITY\SYSTEM
Computer: SW820VOLWQA01
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINNT\Tasks\File Deployer Step_3.job
Handle ID: 3220
Operation ID: {0,598936}
Process ID: 832
Image File Name: C:\WINNT\system32\svchost.
Primary User Name: SW820VOLWQA01$
Primary Domain: LA
Primary Logon ID: (0x0,0x3E7)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
SYNCHRONIZE
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
ReadAttributes
WriteAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x120196
--------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 567
Date: 10/12/2007
Time: 4:22:25 PM
User: NT AUTHORITY\SYSTEM
Computer: SW820VOLWQA01
Description:
Object Access Attempt:
Object Server: Security
Handle ID: 3220
Object Type: File
Process ID: 832
Image File Name: C:\WINNT\system32\svchost.
Accesses: WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
Access Mask: 0x6
--------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 562
Date: 10/12/2007
Time: 4:22:25 PM
User: NT AUTHORITY\SYSTEM
Computer: SW820VOLWQA01
Description:
Handle Closed:
Object Server: Security
Handle ID: 3220
Process ID: 832
Image File Name: C:\WINNT\system32\svchost.
--------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 10/12/2007
Time: 4:22:25 PM
User: *************
Computer: SW820VOLWQA01
Description:
User Logoff:
User Name: viscftp
Domain: VISA
Logon ID: (0x0,0x92200)
Logon Type: 4
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 528
Date: 10/12/2007
Time: 4:22:25 PM
User: ************
Computer: SW820VOLWQA01
Description:
Successful Logon:
User Name: ******
Domain: ******
Logon ID: (0x0,0x92200)
Logon Type: 4
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: SW820VOLWQA01
Logon GUID: {faf71e23-1cd4-b708-512b-a
Caller User Name: SW820VOLWQA01$
Caller Domain: LA
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 832
Transited Services: -
Source Network Address: -
Source Port: -
--------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 576
Date: 10/12/2007
Time: 4:22:25 PM
User: *********
Computer: *********
Description:
Special privileges assigned to new logon:
User Name: **********
Domain: **********
Logon ID: (0x0,0x92200)
Privileges: SeBackupPrivilege
SeRestorePrivilege
--------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 10/12/2007
Time: 4:22:25 PM
User: NT AUTHORITY\SYSTEM
Computer: SW820VOLWQA01
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINNT\Tasks\File Deployer Step_3.job
Handle ID: 3220
Operation ID: {0,598936}
Process ID: 832
Image File Name: C:\WINNT\system32\svchost.
Primary User Name: SW820VOLWQA01$
Primary Domain: LA
Primary Logon ID: (0x0,0x3E7)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
SYNCHRONIZE
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
ReadAttributes
WriteAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x120196
--------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 567
Date: 10/12/2007
Time: 4:22:25 PM
User: NT AUTHORITY\SYSTEM
Computer: SW820VOLWQA01
Description:
Object Access Attempt:
Object Server: Security
Handle ID: 3220
Object Type: File
Process ID: 832
Image File Name: C:\WINNT\system32\svchost.
Accesses: WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
Access Mask: 0x6
--------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 562
Date: 10/12/2007
Time: 4:22:25 PM
User: NT AUTHORITY\SYSTEM
Computer: SW820VOLWQA01
Description:
Handle Closed:
Object Server: Security
Handle ID: 3220
Process ID: 832
Image File Name: C:\WINNT\system32\svchost.
--------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 10/12/2007
Time: 4:22:25 PM
User: *************
Computer: SW820VOLWQA01
Description:
User Logoff:
User Name: viscftp
Domain: VISA
Logon ID: (0x0,0x92200)
Logon Type: 4
Can't see any problem there, they're audit entries. Nothing on the system or application logs?
ASKER
Thanks for looking at it. No. The other logs don't have a thing related to this.
Sorry, can't reproduce the problem right now, I will try later at home if you haven't found a way to make it work.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
GPomerleau, that solved some of the problem. The task now runs under that account even if I remove it from the admin group (which is where I had put it because I could not find another solution).
However, now the task never stops running. It stops if the user is an admin. I will research to find out where the problem is now. But, because you provided with the solution to get it to run, I am giving you the points. Thank you very much! And thanks to fmonroy, too, for the time.
However, now the task never stops running. It stops if the user is an admin. I will research to find out where the problem is now. But, because you provided with the solution to get it to run, I am giving you the points. Thank you very much! And thanks to fmonroy, too, for the time.
You're welcome, I'm so sorry, I completely forgot about this issue. It's good that you are getting a solution.
If you logged as a non-admin and run manually that famous job, does it complete succesfully? What are you running in that batch. I suspect it is the command you are trying that required more privileges. Could you put the content of that job?
I have the exact same problem. All the detailed symptoms you describe are present for me too. However, granting read & execute to command.com with a restart did not solve my problem and I'm out of ideas. Is there any other permission to get beyond "Could not start"?
if not, go to scheduled tasks, right click your task and select properties, then go to security tab; your domain account should have at least read and exec permissions.