Link to home
Start Free TrialLog in
Avatar of mattolan
mattolanFlag for Canada

asked on

Scheduled Task Could Not Start

I have a number of Scheduled task on different servers. I recently changed the account that they are running under from domain\administrator to domain\acountxx. since changing the account none of my scheduled tasks are running they all fail to start with the status message "Could not start" and the following in the schedule tasks log

The attempt to log on to the account associated with the task failed, therefore, the task did not run.
The specific error is:
0x80070569: Logon failure: the user has not been granted the requested logon type at this computer.
Verify that the task's Run-as name and password are valid and try again.

The account name and password are valid, if I manually run the task imediatly after setting the account and password the task works fine

I added the new account to my gpo and gave it run as batch and run as service permissions. the account has domain admins and administrators permissions.


What am I missing to enable this account run my scheduled task

also note. that these task work just fine if i run them under domain\administrator so I know its not the task itself but permission problems
Avatar of Nitin Gupta
Nitin Gupta
Flag of United Kingdom of Great Britain and Northern Ireland image

The account has Domain Admin permission right, I assume it also is a part of Administrator group on the servers.
See if there is any GPO that is changing the "Log on as a batch job" Policy setting  also you can add the user 'logon as batch job' rights (server side). Control Panel -> Admin Tools -> Local Security Policy\Local Policies\User Rights Assignments "Log on as a batch job"
 
Avatar of mattolan

ASKER

the account has both domain admin rights and is part of the administrators group.

it is set as log on as batch in the gpo policy's and if I check the local policy on the server this setting is being applied as the account shows in the logon as batch setting
Delete and recreate the Scheduled Job ! This works in most cases.
In security subject, do you really want to blow up a hole and use users with that group membership for scheduled tasks or services?
'Domain Admins'-group is by default member of all Administrators-group in the domain.
The privilege neaded for scheduled tasks is only log on as batch job, not nead to have log on as service.

Use rsop.msc to find if any policy is configuring 'Deny log on as batch job'. If deny is applied to any group the user is member of, it will override the allow-permission.
henjoh09 when using rsop.msc there is nothing being set under "deny log on as batch job"

however it also does not show the account I am attempting to use in the "log on as batch job" group it appears that the policy is being overridden somewhere
rsop.msc will display what GPO is applying the policy setting. It also detects errors (use properties->error information).
As 'user rights assignment' is part of 'computer configuration', is the GPO linked to OU-structure containing the computer object?
Is there any GPO-blocking in the OU-path preventing the GPO from applying?
Any error in %WINDIR%\security\logs\netlogon.log ?
I don't see any errors, but there is settings being applied from the domain root gpo that appear to be overriding the settings I am attempting to set, is there a way to have it combine the 2 different "log on as batch" settings from the different gpo's or is it a case of I can have one or the other?
Policies are applied in the following order with the last applied winning:
1) Local
2) Site
3) Domain
4) OU-structure

Site overrides local, domain overrides site, OU overrides domain.
that being said them my policy should have been working, as it is on an OU, but it was being overridden by a Domain root policy,
ASKER CERTIFIED SOLUTION
Avatar of Henrik Johansson
Henrik Johansson
Flag of Sweden image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial