Permissions for Scheduled Tasks on a Domain Controller

Question

I'm trying to run a Scheduled Task on a 2008 R2 Domain Controller and all was well until I set it into the production environment. I'm running the task as a Domain User that's defined in the "Log on as a batch job" setting. For giggles I also added the account to "Allow log on locally" after the former failed.

When I'm prompted for the password after setting up the task I receive the error: "An error has occurred for the task ########. Error message: The following error was reported: Logon failure: the user has not been granted the requested logon type at this computer.."

I'm thinking that because this a DC that maybe it needs something else?

Answer 1

"Log on as batch job" should be all the account needs to run a simple task on the DC. How did you give the account that permission? In a vanilla 2008 R2 AD, that privilege is configured in the Default Domain Controllers Policy GPO to include:

• BUILTIN\Performance Log Users
• BUILTIN\Backup Operators
• BUILTIN\Administrators

In order to add a user or group to that list, you'd either have to edit that policy or create a new policy to override that setting. Since editing MS default policies is a bad idea, you should create a new policy with the setting overridden. Make sure you include the default groups listed above as well as the user you're trying to give access to. This particular setting gets overwritten (rather than merged) if there are multiple policies trying to configure it.

Answer 2

Did you check if the account has the "Allow log on locally" right in the Domain Controller? This is done in the Domain Controller Security Policy:

GroupPolicyObjectName [DomainControllerName] Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment

As stated in: http://technet.microsoft.com/en-us/library/cc785165%28WS.10%29.aspx

EDIT: there is a "Logon as service" privilege for the user.

HTH