Re: Prevent Users interactive login, but allow them to run batch j

"Avil" <Avil@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message

"Avil" wrote:

That user is member of "Domain Users" group. I also made that user a
of local "Users" group at the client machine. Still no luck.
I made this user member of the local "admin" group at the client machine.
works fine

Well, I am obviously in the dark Avil as to the specifics of the
job it is supposed to execute, but at least now you know you only
need to discover what Administrators has granted to it that is
needed for this account to run the job without being an admin.
What sort of auditing do you have enabled that might help?

"Roger Abell [MVP]" wrote:

"Avil" <Avil@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
I have set this settings on a test OU. The first seeting works
on Locally) But the second setting "Log on as batch job" has no
scheduled batch job ends with the error code 0*1

The batch job runs fine with other users.

That makes it sound like those user rights adjustments are
effective, but that the account needs something else. Is it
a member of the machine's Users group by some means?

"Roger Abell [MVP]" wrote:

"Avil" <Avil@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
Thank You,
I tried the following step which did not work.
Under Domain Group Policy,
I added the user to "Deny Login Locally"
and to "Login as Batch Job"
But this does not work.

If those are not set elsewhere in GPOs applied after the
GPO in which you set these, and if there was time for the
new values to replicate and get applied at the test machine,
then they should have had your desired effect.

That said, I will add that doing as you did is potentially
dangerous as those settings will wipe out what may have
been set for those at the local machine level, replacing with
what you set in the GPO. Hopefully you did that in a GPO
that only impacts the test machines.


"Roger Abell [MVP]" wrote:

"Avil" <Avil@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
I have a Windows 2000 ADS domain. I need some domain user
run batch jobs but they should not be able to login to domain
alt-ctl-delete. Is it possible to implement?

Is it possible? Yes.
Is it simple to implement? That depends on how your Windows
deployment is currently configured.

In the default, user accounts are members of Domain Users, and
Domain Users as well as Authenticated Users are made members
of the Users group of all domain joined machines.

You want an account that
a) does not have a grant of Log on locally, or if it does then is
also listed in the Deny log on locally (these are in User
b) does have user right grant of batch logon

Just how you effect it so that the account meets those depends on
how you have or have not taken control over user rights on

One possible approach is to make the accounts not be members of
Domain Users. However, that does not fully address the issue as
Authenticated Users would still allow local login to the account.
Another possible approach is to use the Deny local login setting
but that gets very messy in an infrastructure as the only way to
that centrally (without coding that connects to each machine and
sets it) is via GPO and that will wipe out anything already
in that setting.