Mar 08 2022 05:58 AM
I created a gmsa account, installed it on the server to run the scheduled task on windows.
Enter the gmsa account as domain administrator and dhcp administrator, since the script that the task will execute is a task of the dhcp server.
Enter the gmsa account in Log on as a batch job.
Even so, the error occurs when executing the task in the task scheduler.
Mar 12 2022 09:16 AM
Apr 07 2022 02:22 PM - edited Apr 07 2022 02:23 PM
And if it's a member directly of the local administrators group?
Apr 07 2022 02:25 PM
Apr 08 2022 02:59 AM
That error code translates to:
>net helpmsg 1385
>Logon failure: the user has not been granted the requested logon type at this computer.
So, even though you say you've granted that right, somehow, it's either not taking effect or not enough on its own.
With respect to "taking effect", use something like "gpresult /h rsop.html /scope computer" to generate and inspect the resultant set of policy. If the account is not listed in the "Log on as batch job" then you should also be able to see in that same report which group policy is overriding the method you used.
If it is listed then the "logon as batch job" is not enough on its own, but since there's not many others that are relevant (see the TASK_LOGON_TYPE enumeration below), it'd be unusual to encounter this.
If anything's missing, it'd likely be the "interactive" right, which could be the case of Domain Admins is not actually a member of the local Administrators group (if this is a member server) or Domain Admins has actually been denied certain logon types or scopes of computers (again, unlikely outside of high security environments).
It would be more likely that your attempt to provide the right has been overridden by something else (or simply didn't work to begin with.)
TASK_LOGON_TYPE (taskschd.h) - Win32 apps | Microsoft Docs
In any case, check the resultant set of policy to verify which accounts have which of the different kinds of logon rights.
Cheers,
Lain
May 08 2022 11:54 PM