Permissions for Scheduled Tasks on a Domain Controller
"Log on as batch job" should be all the account needs to run a simple task on the DC. How did you give the account that permission? In a vanilla 2008 R2 AD, that privilege is configured in the Default Domain Controllers Policy GPO to include:
- BUILTIN\Performance Log Users
- BUILTIN\Backup Operators
- BUILTIN\Administrators
In order to add a user or group to that list, you'd either have to edit that policy or create a new policy to override that setting. Since editing MS default policies is a bad idea, you should create a new policy with the setting overridden. Make sure you include the default groups listed above as well as the user you're trying to give access to. This particular setting gets overwritten (rather than merged) if there are multiple policies trying to configure it.
Related videos on Youtube
08 : 24
05 : 41
10 : 47
17 : 52
01 : 48
BenC
Updated on September 18, 2022Comments
-
BenC over 1 year
I'm trying to run a Scheduled Task on a 2008 R2 Domain Controller and all was well until I set it into the production environment. I'm running the task as a Domain User that's defined in the "Log on as a batch job" setting. For giggles I also added the account to "Allow log on locally" after the former failed.
When I'm prompted for the password after setting up the task I receive the error: "An error has occurred for the task ########. Error message: The following error was reported: Logon failure: the user has not been granted the requested logon type at this computer.."
I'm thinking that because this a DC that maybe it needs something else?
-
BenC about 12 yearsI did try that out and it didn't work. Ultimately, I don't want this account to be allowed to log on locally though. I only want it to run the scheduled task.