question

AnthonyEdwards-2049 avatar image
0 Votes"
AnthonyEdwards-2049 asked ·

scheduled task wont run batch file even with "Log on as a batch job"

Hello,

I am a bit unsure why this stopped working but we have a DC (2016) that runs a daily bat file for reporting, it randomly stopped working.

We had this account defined in the Default domain controller policy for "Allow log on as a batch job" and the account was not listed in "Deny log on as a batch job" under this policy.

This task does not run (set to run even when user is not logged in) and when we edit the task to reverify the creds it comes up with the following;
This task requires that the user account specified has log on as batch job rights....

We undefined the settings in the default domain controller policy and it is also not specified in the default server policy, we ran gpupdate/restarted, and then in local policy on the machine iteself ( we could amend the setting and added the user, also checking the deny. The blasted task still comes up as the same error.

In task history we get "Task Scheduler failed to start "\Daily Reports" task for user "USERACCOUNT123". Additional Data: Error Value: 2147943785."

We can run the script manually and it works, I am at a loss?!
would appreciate some help and thanks in advance!



windows-serverwindows-group-policy
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AnthonyEdwards-2049 avatar image
0 Votes"
AnthonyEdwards-2049 answered ·

also to note when I run RSOP /R it errors (Details None) and also GPRESULT /R says access denied. obviously not very helpful.

gpresult /r /scope USER -this works okay
gpresult /r /scope COMPUTER -access denied

These are run in elevated cmd prompt. I am also logged in as domain admin...

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered ·

Hi,
Would you please tell how did you configure the schedule task?
Is is a user configuration, right?
What if you configure the task run as system?
Will the same error display again?
75194-383.jpg

Best Regards,


383.jpg (137.6 KiB)
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AnthonyEdwards-2049 avatar image
0 Votes"
AnthonyEdwards-2049 answered ·

The task running under system is running indefinitely assume because it hasn't got rights to complete the action I guess.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

You did logoff and logon to refresh the permission, right?
If possible , would you please run the gpresult /h report.html on the client and share a screenshot here?(please hide the private information.)

Best Regards,

0 Votes 0 ·
AnthonyEdwards-2049 avatar image
0 Votes"
AnthonyEdwards-2049 answered ·

Appreciate your help. we tried multiple restarts.

gpresult /h report.html
access denied! with domain admin and elevated CMD.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AnthonyEdwards-2049 avatar image
0 Votes"
AnthonyEdwards-2049 answered ·

in fairness, I believe this issue preexisted the scheduled report issue.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
To know the issue more clearly, would you please help confirm the following questions again :
Where did you try to run the batch file?
The policy Log on as a batch job on the default domain controller GPO, right?
And the task schedule task was configured on for the user, right?
Best Regards,

0 Votes 0 ·
AnthonyEdwards-2049 avatar image
0 Votes"
AnthonyEdwards-2049 answered ·

Hello,

This was run on a DC as the domain admin, the BAT runs a DFSR report and a Password Expiry lookup.

The reports run if we double click the bat file so specifically (logged in as the domain admin), the scheduled task is the issue.

The GP was using the default domain controller policy and when we checked secpol (local), where the users/groups that could run the batch job were greyed out, we undeclared the policy in the default domain controller policy and rebooted. The local policy was then editable and the user has been added to both but we still get the issue.

The user is not in the deny policy, even within the default domain policy.

At a loss. The GPresult or RSOP would definitely aid the diagnosis but we can't run these successfully on the computer policy, it does work specifically for the user (scope) but this doesn't help us get to the root cause any easier.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


In this situation, i would suggest you clear the task schedule, and make sure the user rights was granted successfully. Run gpresult /h to check if any conflicts for the policies.
Then please pay attention that :
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
Best Regards,

0 Votes 0 ·
AnthonyEdwards-2049 avatar image
0 Votes"
AnthonyEdwards-2049 answered ·

Thanks for the above, unfortunately, that the gpresult comes back as access denied and we have rebooted after changes. I have actually recreated tasks without success. I guess there is a deeper root issue.

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Then you can use the gpsvc log to check more details .For more details about the GPSVC log, you can refer to:
https://blogs.technet.microsoft.com/askds/2015/04/17/a-treatise-on-group-policy-troubleshootingnow-with-gpsvc-log-analysis/

It is not suggested to share more logs here due to the security reason.

If there is no progress, I would suggest you contact Microsoft Customer Services and Support to get an efficient solution:
https://support.microsoft.com/en-in/hub/4343728/support-for-business

Best Regards,

0 Votes 0 ·