In my Active Directory environment (DC runs Windows Server 2003 R2 SP2), there is a Windows Server 2008 R2 SP1 client. On this client, there are scheduled tasks that are running under the local admin account. I want to add a task that will be running under a domain account BackupUser. BackupUser is a member of domain Backup Operators group.
Task Scheduler fails to add the task with the error 2147943785. It's a permission issue and may be fixed by assigning Log on as a batch job right to BackupUser. But doing this via the Group Policy overwrites the default value which is "Backup Operators, Administrators". This causes tasks that are running under the local admin account to stop working. It is unable to assign Log on as a batch job right to these default groups via the Group Policy as they are builtin and simply not available to add.
How to allow (via the Group Policy) a domain user to run a task without breaking the ability to run tasks under the local admin?
The only way I found yet is to add BackupUser to Domain Admins group (even not to Administrators!) and not to touch Log on as a batch job at all. But it is surely a wrong way to do things.
