gmsa account - running windows tasks.

gabrielluizbh 

That error code translates to:

>net helpmsg 1385
>Logon failure: the user has not been granted the requested logon type at this computer.

So, even though you say you've granted that right, somehow, it's either not taking effect or not enough on its own.

With respect to "taking effect", use something like "gpresult /h rsop.html /scope computer" to generate and inspect the resultant set of policy. If the account is not listed in the "Log on as batch job" then you should also be able to see in that same report which group policy is overriding the method you used.

If it is listed then the "logon as batch job" is not enough on its own, but since there's not many others that are relevant (see the TASK_LOGON_TYPE enumeration below), it'd be unusual to encounter this.

If anything's missing, it'd likely be the "interactive" right, which could be the case of Domain Admins is not actually a member of the local Administrators group (if this is a member server) or Domain Admins has actually been denied certain logon types or scopes of computers (again, unlikely outside of high security environments).

It would be more likely that your attempt to provide the right has been overridden by something else (or simply didn't work to begin with.)

TASK_LOGON_TYPE (taskschd.h) - Win32 apps | Microsoft Docs

In any case, check the resultant set of policy to verify which accounts have which of the different kinds of logon rights.

Cheers,

Lain