mattolan
asked on
Scheduled Task Could Not Start
I have a number of Scheduled task on different servers. I recently changed the account that they are running under from domain\administrator to domain\acountxx. since changing the account none of my scheduled tasks are running they all fail to start with the status message "Could not start" and the following in the schedule tasks log
The attempt to log on to the account associated with the task failed, therefore, the task did not run.
The specific error is:
0x80070569: Logon failure: the user has not been granted the requested logon type at this computer.
Verify that the task's Run-as name and password are valid and try again.
The account name and password are valid, if I manually run the task imediatly after setting the account and password the task works fine
I added the new account to my gpo and gave it run as batch and run as service permissions. the account has domain admins and administrators permissions.
What am I missing to enable this account run my scheduled task
also note. that these task work just fine if i run them under domain\administrator so I know its not the task itself but permission problems
The attempt to log on to the account associated with the task failed, therefore, the task did not run.
The specific error is:
0x80070569: Logon failure: the user has not been granted the requested logon type at this computer.
Verify that the task's Run-as name and password are valid and try again.
The account name and password are valid, if I manually run the task imediatly after setting the account and password the task works fine
I added the new account to my gpo and gave it run as batch and run as service permissions. the account has domain admins and administrators permissions.
What am I missing to enable this account run my scheduled task
also note. that these task work just fine if i run them under domain\administrator so I know its not the task itself but permission problems
ASKER
the account has both domain admin rights and is part of the administrators group.
it is set as log on as batch in the gpo policy's and if I check the local policy on the server this setting is being applied as the account shows in the logon as batch setting
it is set as log on as batch in the gpo policy's and if I check the local policy on the server this setting is being applied as the account shows in the logon as batch setting
Delete and recreate the Scheduled Job ! This works in most cases.
In security subject, do you really want to blow up a hole and use users with that group membership for scheduled tasks or services?
'Domain Admins'-group is by default member of all Administrators-group in the domain.
The privilege neaded for scheduled tasks is only log on as batch job, not nead to have log on as service.
Use rsop.msc to find if any policy is configuring 'Deny log on as batch job'. If deny is applied to any group the user is member of, it will override the allow-permission.
'Domain Admins'-group is by default member of all Administrators-group in the domain.
The privilege neaded for scheduled tasks is only log on as batch job, not nead to have log on as service.
Use rsop.msc to find if any policy is configuring 'Deny log on as batch job'. If deny is applied to any group the user is member of, it will override the allow-permission.
ASKER
henjoh09 when using rsop.msc there is nothing being set under "deny log on as batch job"
however it also does not show the account I am attempting to use in the "log on as batch job" group it appears that the policy is being overridden somewhere
however it also does not show the account I am attempting to use in the "log on as batch job" group it appears that the policy is being overridden somewhere
rsop.msc will display what GPO is applying the policy setting. It also detects errors (use properties->error information).
As 'user rights assignment' is part of 'computer configuration', is the GPO linked to OU-structure containing the computer object?
Is there any GPO-blocking in the OU-path preventing the GPO from applying?
Any error in %WINDIR%\security\logs\net logon.log ?
As 'user rights assignment' is part of 'computer configuration', is the GPO linked to OU-structure containing the computer object?
Is there any GPO-blocking in the OU-path preventing the GPO from applying?
Any error in %WINDIR%\security\logs\net
ASKER
I don't see any errors, but there is settings being applied from the domain root gpo that appear to be overriding the settings I am attempting to set, is there a way to have it combine the 2 different "log on as batch" settings from the different gpo's or is it a case of I can have one or the other?
Policies are applied in the following order with the last applied winning:
1) Local
2) Site
3) Domain
4) OU-structure
Site overrides local, domain overrides site, OU overrides domain.
1) Local
2) Site
3) Domain
4) OU-structure
Site overrides local, domain overrides site, OU overrides domain.
ASKER
that being said them my policy should have been working, as it is on an OU, but it was being overridden by a Domain root policy,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
See if there is any GPO that is changing the "Log on as a batch job" Policy setting also you can add the user 'logon as batch job' rights (server side). Control Panel -> Admin Tools -> Local Security Policy\Local Policies\User Rights Assignments "Log on as a batch job"