locked
CcmEval Scheduled task not being created with "Access Denied" error 0x80070005 only on XP machines RRS feed

  • Question

  • Before coming on here I checked out http://social.technet.microsoft.com/Forums/en-US/ddbfe6c3-ee54-4b2a-a3a7-a6515d974f76/client-check-failed-on-xpserver-2003-systems-onlyccmeval-is-not-being-scheduled?forum=configmanagerdeployment (GPO to allow scheduled tasks by users) and another thread about a hotfix that seems to be pre-XP SP3 and pre-CM 2012 R2.

    That said, I'm having an issue many seem to have, but I can't find the answer. From what I understand SCCM uses the user context to create the CcmEval task, but in XP users cannot set a task to run as any other user (ie SYSTEM in this instance) so what is the workaround? I can't just give users Administrator permissions to install the client.

    The exact log entries are:

    <![LOG[Client evaluation task doesn't exist.]LOG]!><time="19:05:43.548+360" date="12-14-2013" component="CcmEvalTask" context="" type="2" thread="4356" file="ccmevalcheck.cpp:705">

    <![LOG[Client evaluation task is not found or is disabled or is not compliant, perform remediation]LOG]!><time="19:05:43.548+360" date="12-14-2013" component="CcmEvalTask" context="" type="2" thread="4356" file="ccmevalcheck.cpp:341">

    <![LOG[Attempting to recreate client evaluation task.]LOG]!><time="19:05:43.548+360" date="12-14-2013" component="CcmEvalTask" context="" type="1" thread="4356" file="ccmevalcheck.cpp:833">

    <![LOG[Task scheduler 2.0 is not supported, peform task registration with 1.0 API.]LOG]!><time="19:05:43.548+360" date="12-14-2013" component="CcmEvalTask" context="" type="1" thread="4356" file="ccmevaltask.cpp:345">

    <![LOG[Failed to delete task Configuration Manager Health Evaluation (0x80070002).]LOG]!><time="19:05:43.548+360" date="12-14-2013" component="CcmEvalTask" context="" type="2" thread="4356" file="ccmevaltask.cpp:379">

    <![LOG[Failed to create task item (0x80070005).]LOG]!><time="19:05:43.548+360" date="12-14-2013" component="CcmEvalTask" context="" type="3" thread="4356" file="ccmevaltask.cpp:387">

    <![LOG[Failed to create client evaluation task.]LOG]!><time="19:05:43.548+360" date="12-14-2013" component="CcmEvalTask" context="" type="2" thread="4356" file="ccmevalcheck.cpp:850">

    The bolded section is what's telling me it's Access Denied, and manual creation of any program task set to run as SYSTEM tells me the same- users cannot do this; only admins can.

    What can I do?

    Sunday, December 15, 2013 1:40 AM

Answers

  • So after sifting through some RSOP results and GPO objects I found a policy that wasn't necessarily prohibiting creation of them. (Not where you think it would be - under Administrative Templates > Windows Components > Task Scheduler > "Prohibit New Task Creation" - this was set to allow them) but this one I found was a File Permissions policy that set SYSTEM permissions to READ and EXECUTE.

    I've changed this to FULL CONTROL for SYSTEM. I'm unable to get on the machines to examine everything closely, but from what I can see at least one of them has remediated themselves and now has a successful client check in the console. Hopefully the rest of them will come around as GP updates itself and the client does an evaluation to remediate the Scheduled Task.

    Hopefully this helps someone in the future as well.


    • Marked as answer by Paul_131 Monday, December 16, 2013 7:10 PM
    • Edited by Paul_131 Monday, December 16, 2013 7:11 PM
    Monday, December 16, 2013 7:09 PM

All replies

  • The thread reference is most certainly for ConfigMgr 2012 as ccmeval didn't exist until 2012. Also, pre-XP SP3 is not supported so that's not correct either.

    ConfigMgr does not perform any activity as anything other than the local System (except for deployments targeted to users) -- not sure what lead you to believe otherwise.

    Something is clearly preventing the task from being created though and Group Policy is always something to check as is your AV product.


    Jason | http://blog.configmgrftw.com

    Sunday, December 15, 2013 10:37 PM
  • Thanks for your reply, Jason.

    You are correct,  pre-XP SP3 isn't supported and we are using XP SP3, so that shouldn't be the issue. I've verified GPO isn't the issue; I've even gone as far as to disable the setting that would prevent creation of scheduled tasks.

    The only thing that led me to believe it was run as the user account was a thread that marked an answer containing that statement. I did think it was a bit odd if that was the case.

    So maybe I should be checking into why "Local System" cannot create tasks? My AV is SCEP/FEP (migrating), so I would sure hope that's not interfering.

    Sunday, December 15, 2013 10:49 PM
  • So after sifting through some RSOP results and GPO objects I found a policy that wasn't necessarily prohibiting creation of them. (Not where you think it would be - under Administrative Templates > Windows Components > Task Scheduler > "Prohibit New Task Creation" - this was set to allow them) but this one I found was a File Permissions policy that set SYSTEM permissions to READ and EXECUTE.

    I've changed this to FULL CONTROL for SYSTEM. I'm unable to get on the machines to examine everything closely, but from what I can see at least one of them has remediated themselves and now has a successful client check in the console. Hopefully the rest of them will come around as GP updates itself and the client does an evaluation to remediate the Scheduled Task.

    Hopefully this helps someone in the future as well.


    • Marked as answer by Paul_131 Monday, December 16, 2013 7:10 PM
    • Edited by Paul_131 Monday, December 16, 2013 7:11 PM
    Monday, December 16, 2013 7:09 PM
  • As a follow up-

    Since making that change ~1hr ago I've gone from 442 clients with bad client status to 138. Looks like as they are getting the new GPO and remediation kicks in they are becoming happy again.

    Monday, December 16, 2013 8:26 PM