windows-server-2016 task scheduler doesn't save domain user to run as properly

windows scheduled-task windows-server-2016
15,668

Turns out it was an extra privilege that was on the new box that needed to be disabled and then Task Scheduler runs fine. "SeDelegateSessionUserImpersonatePrivilege" was the culprit.

What caused me to believe it was the task scheduler is that the task scheduler has changed how it saves the user in the Xml and it used to save it as “DOMAIN\USER” but now it saves it as a SID (security id) and doesn’t display the domain portion in the ‘RUN AS’ section of the task scheduler.

When I ran whoami /all I saw that one privilege was on the new box but not the old box.

That privilege was: SeDelegateSessionUserImpersonatePrivilege = disabled

Removing this privilege fixes the issue.

So on Windows Server 2016 std build 14393 enabling or removing the privilege SeDelegateSessionUserImpersonatePrivilege fixes this issue of Tasks not running as the stored user in Task Scheduler.

EDIT: Windows Server 2016 Task Scheduler runs correctly tasks that were set up right the first time with no edits and that had the checkbox ‘Run with highest privileges’ unchecked and starting in the future. So if you need to modify a scheduled tasks you should probably create a brand new task then delete the old one rather than edit an existing task.

Share:
15,668
John Aho
Author by

John Aho

I've done a lot of various projects over the years and lately I've been a jack of all trades small company IT guy who also does programming. I've worked for a big Defense contractor, as a contract professor, consultant, tech support and in a startup. I love meaty problems I can dig into and pound away at. I'm very partial to working with databases, being operations and mucking about with server brains.

Updated on September 18, 2022

Comments

  • John Aho
    John Aho over 1 year

    The Task Scheduler(TS) isn't saving domain information for run task as user.

    Steps to replicate:

    In General->Security Options it shows which user the task will run as with the button "Change User or Group" beside it.

    The TS lets me change the user to a domain user and shows "DOMAIN\USER" in the field.

    Pressing OK prompts me to enter the password for "DOMAIN\USER" which I do.

    Opening up the TS task again shows that the domain part of the "DOMAIN\USER" has been stripped out of the Run As field.

    When that task is run it Does not run as the "DOMAIN\USER".

    Expected Behavior

    TS should run task as run as user like it does on Server 2012r2.

    OS Details

    OS is windows server 2016 standard build | Version 10.0.14393 Build 14393 and server is part of a domain.

    EDIT: In windows 10 it looks like it does the same thing but the user does end up being run as correctly. In the exported task XML used to look like this: <UserId>DOMAIN\USER</UserId> but now it looks like this:[numbers-with-a-lot-of-hypens-that-starts-with-a-letter]</UserId>

    EDIT-2: It looks like what's being stored in the XML settings is a Windows SID (security identifier).

    • strongline
      strongline over 6 years
      check if you domain policy allows "Stored credential". Check if grant "allow log on as batch job" user rights helps.
    • John Aho
      John Aho over 6 years
      I don't have access to the domain policy but scheduled tasks using the same user on a Windows server 2012r2 work fine. It stores the credentials ok and runs if the user isn't logged on as the domain user.
    • strongline
      strongline over 6 years
      different machine could be getting different policies. Run gpresult to find out. To see what user rights this account has, run "whoami /all"
    • John Aho
      John Aho over 6 years
      @strongline - The 2016 server has one privilege set that the other doesn't: SeDelegateSessionUserImpersonatePrivilege = disabled
  • Squashman
    Squashman about 5 years
    Where do remove this setting?
  • John Aho
    John Aho almost 5 years
    This setting is in the Group Policy Management console.. To open the Group Policy Management Console. Go back to the Accessories category in the All Programs section of the Start menu. Click "Run," type "gpmc.msc" in the box and then click "OK" to open it.
  • Skurfur
    Skurfur about 2 years
    When you're in group policy editor, ensure the policy for SeDelegateSessionUserImpersonatePrivilege is not grayed out. If it is grayed out, then there's probably a domain policy overriding it. @Squashman, the GPO is 'Obtain an impersonation token for another user in the same session' in Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment .

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to properly run Powershell scripts containing BITS operations from Task Scheduler?
.NET Core console app fails from task scheduler with 0xC0000005
Will Django run on Windows Server 2019 or 2016?
Installing Removed Windows Features
What is DEP, and how do I find out if my processor supports it?
Windows Server 2016 Task scheduler: Tasks return error 0xC0000142
Why does RUNAS command work but PSEXEC doesn't in this case?
Cancel Server Manager feature installation
What significance does the subnet mask have for a public IP address?
Unable to install Windows Server