Log on as a batch job

  • Thread starter Thread starter Ivan
  • Start date Start date
I

Ivan

We have a Windows XP Professional machine in a domain on which we're trying
to run a scheduled task as a domain account. We've added this domain acount
into a local group which is included in the "Log on as a batch job"
privilege. This privilege is assigned through group policy, and confirmed on
the machine by rsop.msc.

However when we attempt to start the scheduled task we receive a "Could not
start" message in Scheduled tasks and an error in the application event log
stating that the domain account cannot be loaded. Are there other sections
in User Rights Assignment (for example "Log on as a service" where we have
to add the local account (containing the domain account) in order to run our
scheduled task?
 
Hi Ivan,
Depending on the task you are trying to run, the account you use may need to
be a member of the local Administrators group on the PC.

Alternatively, forget XP's inbuilt task scheduler and have a look at
Splinterware's System Scheduler Free Version -
http://www.splinterware.com/products/wincron.htm

I use this on an XP machine that had similar problems with XP task
scheduler, and this utility sorted me just fine.

Good Luck
 
KieronH said:
Hi Ivan,
Depending on the task you are trying to run, the account you use may need
to
be a member of the local Administrators group on the PC.

Alternatively, forget XP's inbuilt task scheduler and have a look at
Splinterware's System Scheduler Free Version -
http://www.splinterware.com/products/wincron.htm

I use this on an XP machine that had similar problems with XP task
scheduler, and this utility sorted me just fine.
Click to expand...

I thought that Administrators group has implicit membership in Logon as a
Batch Job? And the entire point of Logon as a Batch Job privilege is to
create a reduced privilege level so you don't go compromising the machine
every time a user needs to run a batch job. In a perfect world no one
ever needs Administrator privilege who doesn't have legitimate needs to
*administer* the box.

My brief experiments suggest that running a scheduled task requires the user
context that runs the task to load a user profile, and apparently on our
Windows XP install that required the user to have the additional user
privilege of "Logon as a User". Note that we run with stricter than normal
permissions, and this behavior may be a side effect of our particular setup.
We strip out Everyone and Authenticated Users from most of our ACLs.

I am very interested in knowing what is the correct answer to the question
that was asked on a stock Windows XP installation. And a slightly more
technical question: when a user is logged in to a box with Logon as a
Batch Job, what security groups does that implicitly add that user into?
 
To find out more details on why it failed enable auditing of privilege use
and logon events for failure on that computer and then review the security
log after it fails again for any failures at the time that job fails which
should give you some more clues as to why the job failed. You also may
temporarily want to add that domain user account to the local administrators
group on that computer to see what happens.

Steve
 
Back
Top