none
Permissions to run batch job

    Question

  • Hello,

    I have a Windows 2008 domain.  I have a domain user that I would like to use to run a Scheduled Task.  The task runs a batch file which restarts the DNS service on the DC.

    What permissions do I need to give the user?

    I'm currently receiving the operational code (2) so I believe it's a permissions issue.

    Thank you in advance!

    Regards,

    Terry

    Friday, December 28, 2012 2:27 PM

Answers

  • You can edit the local policy or Group policy for that machine. The settings are located in:

    Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a batch job    

    "Description

    Allows a user to be logged on by means of a batch-queue facility.

    For example, when a user submits a job by means of the task scheduler, the task scheduler logs that user on as a batch user rather than as an interactive user.

    This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

    By default, only the  LocalSystem account has the privilege to be logged on as a batch job."

    http://technet.microsoft.com/en-us/library/cc755659(v=ws.10).aspx


    ...

    Saturday, December 29, 2012 6:22 PM
  • tbrothers wrote:

    Hello,



    I have a Windows 2008 domain.  I have a domain user that I would like
    to use to run a Scheduled Task.  The task runs a batch file which
    restarts the DNS service on the DC.


    What permissions do I need to give the user?

    I'm currently receiving the operational code (2) so I believe it's a
    permissions issue.

    Thank you in advance!

    Regards,

    Terry

    Normally those permissions are only granted members of the
    administrators group for the server, which is at the domain level the
    domain admins group. But you could use a native account like SYSTEM,
    too.

    Or you add permissions

    a) for starting services and b) for running a batch job

    to the user, you want to use for this job explicitly, via the security
    policy for the server.


    Wolfgang
    Friday, December 28, 2012 7:56 PM
  • Hi Terry,


    By default, DNS Server Service logs on as Local System account and DNS Client Service logs on as Network Service account.


    However, these accounts are Windows built-in accounts and we cannot manage them manually. Instead, we can use administrator account to manage the above two services.


    If we would like a standard user to run a privileged task, we can try the following settings:




    Hope this helps.


    Jeremy Wu
    TechNet Community Support

    Monday, December 31, 2012 6:08 AM
    Moderator

All replies

  • I have it working but I had to add the user to the Administrators group.  But I don't like giving more permissions than are required.  There has to be a better solution ... I hope!

    Terry

    Friday, December 28, 2012 7:44 PM
  • tbrothers wrote:

    Hello,



    I have a Windows 2008 domain.  I have a domain user that I would like
    to use to run a Scheduled Task.  The task runs a batch file which
    restarts the DNS service on the DC.


    What permissions do I need to give the user?

    I'm currently receiving the operational code (2) so I believe it's a
    permissions issue.

    Thank you in advance!

    Regards,

    Terry

    Normally those permissions are only granted members of the
    administrators group for the server, which is at the domain level the
    domain admins group. But you could use a native account like SYSTEM,
    too.

    Or you add permissions

    a) for starting services and b) for running a batch job

    to the user, you want to use for this job explicitly, via the security
    policy for the server.


    Wolfgang
    Friday, December 28, 2012 7:56 PM
  • You can edit the local policy or Group policy for that machine. The settings are located in:

    Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a batch job    

    "Description

    Allows a user to be logged on by means of a batch-queue facility.

    For example, when a user submits a job by means of the task scheduler, the task scheduler logs that user on as a batch user rather than as an interactive user.

    This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

    By default, only the  LocalSystem account has the privilege to be logged on as a batch job."

    http://technet.microsoft.com/en-us/library/cc755659(v=ws.10).aspx


    ...

    Saturday, December 29, 2012 6:22 PM
  • Hi Terry,


    By default, DNS Server Service logs on as Local System account and DNS Client Service logs on as Network Service account.


    However, these accounts are Windows built-in accounts and we cannot manage them manually. Instead, we can use administrator account to manage the above two services.


    If we would like a standard user to run a privileged task, we can try the following settings:




    Hope this helps.


    Jeremy Wu
    TechNet Community Support

    Monday, December 31, 2012 6:08 AM
    Moderator