jmachado81
asked on
Server 2016 scheduled task
I have found when creating a schedule task in Server 2016 STD the account used does not display domain credentials. When i export the job, the xml file will display the domain user SID, but the task simply won't run correctly.
I've read multiple things stating i need to enable SeDelegateSessionUserImper sonatePriv ilege from "whoami /all" output and/or gpedit.msc. I've reviewed my local policy and the items in this site are enabled and the user i'm using is an admin of the server, but when i run whoami that privileged is still disabled.
https://social.technet.microsoft.com/Forums/en-US/73c22958-5e0a-44a4-a457-0fb94d8bca12/server-2016-strugle-with-sedelegatesessionuserimpersonateprivilege?forum=winserversecurity
Does anybody know how i can successfully run a scheduled task with a domain user (to execute a bat file) or how to enable this privilege that is suppose to also resolve my situation?
I've read multiple things stating i need to enable SeDelegateSessionUserImper
https://social.technet.microsoft.com/Forums/en-US/73c22958-5e0a-44a4-a457-0fb94d8bca12/server-2016-strugle-with-sedelegatesessionuserimpersonateprivilege?forum=winserversecurity
Does anybody know how i can successfully run a scheduled task with a domain user (to execute a bat file) or how to enable this privilege that is suppose to also resolve my situation?
How do you send the mail? Could you show us your batch?
ASKER
the bat file simply calls the vCheck powershell script but although the tasks states its started i don't think it is running correctly. I can run the vcheck.ps1 script directly and it will take 15min to run and i'll get an email but when i run it in a scheduled task calling the PS script it can run for an hour and do nothing. I also tried to convert the bat file to an exe to run as admin and that didn't work either which is why i think its an issue with running as a different user.
@echo off
Powershell.exe -executionpolicy remotesigned -File C:\Tasks\LAB\vCheck\vCheck.ps1
Did you try running the scheduled task without the batch file? Just schedule powershell.exe with the arguments?
ASKER
I perform this action in the scheduled task...configured to run with domain/user but once i hit OK it just says running as user.
C:\Windows\System32\Window sPowerShel l\v1.0\pow ershell.ex e -executionpolicy remotesigned -File C:\Tasks\LAB\vCheck\vCheck .ps1
It's still running after 45min and i only have 2 nodes...should be done in under 15min.
C:\Windows\System32\Window
It's still running after 45min and i only have 2 nodes...should be done in under 15min.
Without knowing what the script actually does, I cannot say much more. I imagine you set it to run with highest privileges?
I assume you are talking about the script of http://www.virtu-al.net/vcheck-pluginsheaders/vcheck/.
It shouldn't be an issue if you provided all user credentials in the script - for vCenter, the SMTP server (if required), and so on.
For test, add the -OutputPath parameter (with a path) to store HTML reports in. This will show if the reports are generated, and there is just an issue with the email.
Also, if you set the task to only run when logged in, and use the same user you are logged in with, you should be able to monitor the script's console output on screen.
It shouldn't be an issue if you provided all user credentials in the script - for vCenter, the SMTP server (if required), and so on.
For test, add the -OutputPath parameter (with a path) to store HTML reports in. This will show if the reports are generated, and there is just an issue with the email.
Also, if you set the task to only run when logged in, and use the same user you are logged in with, you should be able to monitor the script's console output on screen.
ASKER
Yes that is the vCheck i am speaking about and i am able to run this script directly through cmd or powershell successfully...but it still fails when i run it as a scheduled task. The passwords are in the script called (in plain text) but that did not resolve the task scheduler issue.
You need a hint where the issue might be, so do as suggested above to create a HTML report file.
What version of VCenter are you using? I see some issues with Schedules tasks and VCenter 6.5. If you look in the comments on the virtual-al.net website, it describes a similar issue. Perhaps that will help you
ASKER
I did review those but unfortunately i didn't view any comments for server 2016 and i tried option #1. Since i have powercli 6.6 (with powershell) the #2 option wasn't one for me.
I've tried using the task scheduler to call an EXE, bat, and PS1 file, and none of them seem to "run the task, using the following user account" correctly because it doesn't display the domain. Even if i embed the username and password into the scripts they still don't work using the task scheduler. All of these methods DO work if i manually run them outside the task scheduler so the scripts aren't the issue.
I know this may seem like its specific to vCheck since that is what isn't working but i also have one for snapshot reminders and that isn't working either. I don't believe this is an issue with powershell or vcheck. And i can easily get this working with Server 2012 r2 and VCSA 6.5.
I've tried using the task scheduler to call an EXE, bat, and PS1 file, and none of them seem to "run the task, using the following user account" correctly because it doesn't display the domain. Even if i embed the username and password into the scripts they still don't work using the task scheduler. All of these methods DO work if i manually run them outside the task scheduler so the scripts aren't the issue.
I know this may seem like its specific to vCheck since that is what isn't working but i also have one for snapshot reminders and that isn't working either. I don't believe this is an issue with powershell or vcheck. And i can easily get this working with Server 2012 r2 and VCSA 6.5.
none of them seem to "run the task, using the following user account" correctly because it doesn't display the domain.
but when i run whoami that privileged is still disabled.
This are red herrings. I've just set up a task on W2016 with a domain account (which is not also mapped to a local account), and it runs fine.
The MS link you provided also tells that whoami is not reliable for the purpose of special privileges.
Yes, the domain/local part of the user credential is removed from each display, including schtasks /query /fo list and PowerShell's (get-ScheduledTasks).Princ ipal, but the export is correctly showing a domain SID.
but when i run whoami that privileged is still disabled.
This are red herrings. I've just set up a task on W2016 with a domain account (which is not also mapped to a local account), and it runs fine.
The MS link you provided also tells that whoami is not reliable for the purpose of special privileges.
Yes, the domain/local part of the user credential is removed from each display, including schtasks /query /fo list and PowerShell's (get-ScheduledTasks).Princ
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER