none
The Task Scheduler isn't saving domain information for running a task as user. (Windows server 2016 Std) RRS feed

  • Question

  • The Task Scheduler(TS) isn't saving domain information for running a task as user.

    Steps to replicate:

    In General->Security Options it shows which user the task will run as with the button "Change User or Group" beside it.

    The TS lets me change the user to a domain user and shows "DOMAIN\USER" in the field.

    Pressing OK prompts me to enter the password for "DOMAIN\USER" which I do.

    Opening up the TS task again shows that the domain part of the "DOMAIN\USER" has been stripped out of the Run As field.

    When that task is run it Does not run as the "DOMAIN\USER".

    Expected Behavior

    TS should run task as run as specified user like it does on Server 2012r2.

    OS Details

    OS is windows server 2016 standard build | Version 10.0.14393 Build 14393 and server is part of a domain.

    I have tried to export the task, delete it, alter the user and import it but I still get the same result of not having the domain present as part of the 'DOMAIN\USER' run as field 


    • Edited by John Aho Monday, August 7, 2017 5:59 PM clarification
    Monday, August 7, 2017 5:57 PM

Answers

  • Turns out it was an extra privilege that was on the new box that needed to be disabled and then Task Scheduler runs fine. "SeDelegateSessionUserImpersonatePrivilege" was the culprit.

    What caused me to believe it was the task scheduler is that the task scheduler has changed how it saves the user in the Xml and it used to save it as “DOMAIN\USER” but now it saves it as a SID (security id) and doesn’t display the domain portion in the ‘RUN AS’ section of the task scheduler.


    When I ran `whoami /all` I saw that one privilege was on the new box but not the old box. 

    That privilege was:
    SeDelegateSessionUserImpersonatePrivilege = disabled

    So on Windows Server 2016 std build 14393 enabling or removing the privilege SeDelegateSessionUserImpersonatePrivilege fixes this issue of Tasks not running as the stored user in Task Scheduler.
    • Marked as answer by John Aho Tuesday, August 8, 2017 9:46 PM
    Tuesday, August 8, 2017 9:46 PM

All replies

  • You could add your feedback comments to this one on uservoice or also create your own.

    https://windowsserver.uservoice.com/forums/295047-general-feedback/suggestions/18599623-scheduled-tasks-do-not-store-domain-information-of

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Monday, August 7, 2017 6:47 PM
  • Turns out it was an extra privilege that was on the new box that needed to be disabled and then Task Scheduler runs fine. "SeDelegateSessionUserImpersonatePrivilege" was the culprit.

    What caused me to believe it was the task scheduler is that the task scheduler has changed how it saves the user in the Xml and it used to save it as “DOMAIN\USER” but now it saves it as a SID (security id) and doesn’t display the domain portion in the ‘RUN AS’ section of the task scheduler.


    When I ran `whoami /all` I saw that one privilege was on the new box but not the old box. 

    That privilege was:
    SeDelegateSessionUserImpersonatePrivilege = disabled

    So on Windows Server 2016 std build 14393 enabling or removing the privilege SeDelegateSessionUserImpersonatePrivilege fixes this issue of Tasks not running as the stored user in Task Scheduler.
    • Marked as answer by John Aho Tuesday, August 8, 2017 9:46 PM
    Tuesday, August 8, 2017 9:46 PM
  • I can't find how to enable/remove the SeDelegateSessionUserImpersonatePrivilege privilege.

    Checked all GPO policies but I can't find anything similar.

    How can I enable it?

    Monday, May 21, 2018 12:42 PM