Active Directory Scheduled Task Logon Problem

Otacon · 5 Jul 2006 at 10:26

Ok, this is a strange one, get your game faces on.

I have a mixed mode AD network here, with a pair of 2003 DC's and a pair of NT4 DC's (which are being decommissioned), and a total of some 20 odd servers. At the end of last week - with no changes applied to the servers or any updates applied to my knowledge - any scheduled task that was told to log in using a domain account (read: nearly all of them) just wouldn't start (literally, 'Could Not start' status). If I go in and overtype the password, it starts and will do so for a time, but when left for a few hours (for it's scheduled run time through the night), it wont start again.

The scheduled task log provides this nugget:

"External_Disk_Copy.job" (Backup_Data.bat) 7/4/2006 7:00:00 PM ** ERROR **
The attempt to log on to the account associated with the task failed, therefore, the task did not run.
The specific error is:
0x80070569: Logon failure: the user has not been granted the requested logon type at this computer.
Verify that the task's Run-as name and password are valid and try again.

Googling the error code doesn’t reveal a great deal, some suggestions that the accounts need to be granted logon as a batch job right, which I dropped into the domain security policy but it's made no difference.

So.... any suggestions?

[edit]And fwiw, I get a success event for type 4 (batch job) when it tries to start... but still doesnt:

Successful Logon:
User Name: USERNAME
Domain: DOMAINNAME
Logon ID: (0x0,0x40FD1D)
Logon Type: 4
Logon Process: DCOMSCM
Authentication Package: Negotiate
Workstation Name: SERVER
Logon GUID: {45359976-26d6-26a9-b66f-b24a3d7a05ce}
Caller User Name: SERVER$
Caller Domain: DOMAINNAME
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 900
Transited Services: -
Source Network Address: -
Source Port: -

=================================
Special privileges assigned to new logon:
User Name:
Domain:
Logon ID: (0x0,0x40FD1D)
Privileges: SeImpersonatePrivilege
SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege

===================================
User Logoff:
User Name: USERNAME
Domain: DOMAINNAME
Logon ID: (0x0,0x40FD1D)
Logon Type: 4

crashuk · 5 Jul 2006 at 10:40

did you grant it as local?
Administrative tool > Local security policy > Local Policies > User Rights Assignment > Logon as a batch job > Add

Otacon · 5 Jul 2006 at 10:54

crashuk said:
did you grant it as local?
Administrative tool > Local security policy > Local Policies > User Rights Assignment > Logon as a batch job > Add

The account(s) are already listed there as they're set by policy. I think it's a red herring anyway, as I have successful logon entries for type 4 - which is batch job.

crashuk · 5 Jul 2006 at 10:58

i looked at various forums and people with almost the same problem as you, and some guy came up with a work around.
http://www.chicagotech.net/Windows/scheduled1.htm

http://msdn.microsoft.com/library/d.../security/running_with_special_privileges.asp

Otacon · 5 Jul 2006 at 12:33

It's unchecked already, but I toggled it just because and it hasn't made a difference.

Think I'm gonna raise a support call with Redmond direct for this one. I cant be without a reliable scheduler for the entire domain :/