Forum Discussion

gabrielluizbh's avatar
gabrielluizbh
MVP
Mar 08, 2022

gmsa account - running windows tasks.

I created a gmsa account, installed it on the server to run the scheduled task on windows. Enter the gmsa account as domain administrator and dhcp administrator, since the script that the task will...
gMSA
windows server 2012 r2
LainRobertson's avatar
LainRobertson
Silver Contributor
Apr 08, 2022

gabrielluizbh 

 

That error code translates to:

>net helpmsg 1385
>Logon failure: the user has not been granted the requested logon type at this computer.

 

So, even though you say you've granted that right, somehow, it's either not taking effect or not enough on its own.

 

With respect to "taking effect", use something like "gpresult /h rsop.html /scope computer" to generate and inspect the resultant set of policy. If the account is not listed in the "Log on as batch job" then you should also be able to see in that same report which group policy is overriding the method you used.

 

If it is listed then the "logon as batch job" is not enough on its own, but since there's not many others that are relevant (see the TASK_LOGON_TYPE enumeration below), it'd be unusual to encounter this.

 

If anything's missing, it'd likely be the "interactive" right, which could be the case of Domain Admins is not actually a member of the local Administrators group (if this is a member server) or Domain Admins has actually been denied certain logon types or scopes of computers (again, unlikely outside of high security environments).

 

It would be more likely that your attempt to provide the right has been overridden by something else (or simply didn't work to begin with.)

 

TASK_LOGON_TYPE (taskschd.h) - Win32 apps | Microsoft Docs

 

In any case, check the resultant set of policy to verify which accounts have which of the different kinds of logon rights.

 

Cheers,

Lain

Resources