This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 99%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAE%3C/text%3E%3C/svg%3E)
Hello,
I am a bit unsure why this stopped working but we have a DC (2016) that runs a daily bat file for reporting, it randomly stopped working.
We had this account defined in the Default domain controller policy for "Allow log on as a batch job" and the account was not listed in "Deny log on as a batch job" under this policy.
This task does not run (set to run even when user is not logged in) and when we edit the task to reverify the creds it comes up with the following;
This task requires that the user account specified has log on as batch job rights....
We undefined the settings in the default domain controller policy and it is also not specified in the default server policy, we ran gpupdate/restarted, and then in local policy on the machine iteself ( we could amend the setting and added the user, also checking the deny. The blasted task still comes up as the same error.
In task history we get "Task Scheduler failed to start "\Daily Reports" task for user "USERACCOUNT123". Additional Data: Error Value: 2147943785."
We can run the script manually and it works, I am at a loss?!
would appreciate some help and thanks in advance!
Hello,
This was run on a DC as the domain admin, the BAT runs a DFSR report and a Password Expiry lookup.
The reports run if we double click the bat file so specifically (logged in as the domain admin), the scheduled task is the issue.
The GP was using the default domain controller policy and when we checked secpol (local), where the users/groups that could run the batch job were greyed out, we undeclared the policy in the default domain controller policy and rebooted. The local policy was then editable and the user has been added to both but we still get the issue.
The user is not in the deny policy, even within the default domain policy.
At a loss. The GPresult or RSOP would definitely aid the diagnosis but we can't run these successfully on the computer policy, it does work specifically for the user (scope) but this doesn't help us get to the root cause any easier.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
In this situation, i would suggest you clear the task schedule, and make sure the user rights was granted successfully. Run gpresult /h to check if any conflicts for the policies.
Then please pay attention that :
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
Best Regards,
Thanks for the above, unfortunately, that the gpresult comes back as access denied and we have rebooted after changes. I have actually recreated tasks without success. I guess there is a deeper root issue.
Hi,
Then you can use the gpsvc log to check more details .For more details about the GPSVC log, you can refer to:
https://blogs.technet.microsoft.com/askds/2015/04/17/a-treatise-on-group-policy-troubleshootingnow-with-gpsvc-log-analysis/
It is not suggested to share more logs here due to the security reason.
If there is no progress, I would suggest you contact Microsoft Customer Services and Support to get an efficient solution:
https://support.microsoft.com/en-in/hub/4343728/support-for-business
Best Regards,