Re: Log on as a batch job

"KieronH" <KieronH@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8B21FA5E-EB6E-4434-A9D7-1DDAFFF87A6A@xxxxxxxxxxxxxxxx
Hi Ivan,
Depending on the task you are trying to run, the account you use may need
to
be a member of the local Administrators group on the PC.

Alternatively, forget XP's inbuilt task scheduler and have a look at
Splinterware's System Scheduler Free Version -
http://www.splinterware.com/products/wincron.htm

I use this on an XP machine that had similar problems with XP task
scheduler, and this utility sorted me just fine.

I thought that Administrators group has implicit membership in Logon as a
Batch Job? And the entire point of Logon as a Batch Job privilege is to
create a reduced privilege level so you don't go compromising the machine
every time a user needs to run a batch job. In a perfect world no one
ever needs Administrator privilege who doesn't have legitimate needs to
*administer* the box.

My brief experiments suggest that running a scheduled task requires the user
context that runs the task to load a user profile, and apparently on our
Windows XP install that required the user to have the additional user
privilege of "Logon as a User". Note that we run with stricter than normal
permissions, and this behavior may be a side effect of our particular setup.
We strip out Everyone and Authenticated Users from most of our ACLs.

I am very interested in knowing what is the correct answer to the question
that was asked on a stock Windows XP installation. And a slightly more
technical question: when a user is logged in to a box with Logon as a
Batch Job, what security groups does that implicitly add that user into?

--
Will


"Ivan" wrote:

We have a Windows XP Professional machine in a domain on which we're
trying
to run a scheduled task as a domain account. We've added this domain
acount
into a local group which is included in the "Log on as a batch job"
privilege. This privilege is assigned through group policy, and confirmed
on
the machine by rsop.msc.

However when we attempt to start the scheduled task we receive a "Could
not
start" message in Scheduled tasks and an error in the application event
log
stating that the domain account cannot be loaded. Are there other
sections
in User Rights Assignment (for example "Log on as a service" where we
have
to add the local account (containing the domain account) in order to run
our
scheduled task?


--
Ivan


.

Relevant Pages

  • Re: Log on as a batch job
    ... To find out more details on why it failed enable auditing of privilege use ... and logon events for failure on that computer and then review the security ... trying to run a scheduled task as a domain account. ... However when we attempt to start the scheduled task we receive a "Could ...
    (microsoft.public.windowsxp.security_admin)
  • RE: How do I restrict access from starting/stopping services?
    ... It is the privilege of an account. ... which account can perform these 2 operations on service object. ... should run this code in any account in Administrators group. ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Rid AD of Circular Group Membership
    ... and have use on members if it is used there. ... Administrators group is still intact), nor do they have empowerments over ... Admins is being used for by the 30+ can be delegated I(ex. ... The quess is each has an account and uses it, ...
    (microsoft.public.windows.group_policy)
  • RE: Scheduled Task on Client PC with NT AUTHORITY/SYSTEM account fails
    ... tasks under NT AUTHORITY\SYSTEM account. ... Right click the scheduled task and click Properties. ... Microsoft Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: Question on XP network security
    ... I'm not sure whether you meant adding each and every user account to ... that it gives every user full access to all other machines ACROSS the ... network security. ... > Add each user's domain account to the local administrators group. ...
    (microsoft.public.windowsxp.security_admin)