Hello,
This was run on a DC as the domain admin, the BAT runs a DFSR report and a Password Expiry lookup.
The reports run if we double click the bat file so specifically (logged in as the domain admin), the scheduled task is the issue.
The GP was using the default domain controller policy and when we checked secpol (local), where the users/groups that could run the batch job were greyed out, we undeclared the policy in the default domain controller policy and rebooted. The local policy was then editable and the user has been added to both but we still get the issue.
The user is not in the deny policy, even within the default domain policy.
At a loss. The GPresult or RSOP would definitely aid the diagnosis but we can't run these successfully on the computer policy, it does work specifically for the user (scope) but this doesn't help us get to the root cause any easier.