locked
Running a task schedule as a different user RRS feed

  • Question

  • Greetings

    Operating System: Windows Server 2008 R2

    Server Role: Domain Controller

    I'm trying to create a task to run automatically using Task scheduler which will run a Powershell script. I'm running this on a Domain Controller and will be creating the task using my Domain Admin account, now I have a service account that I wish to use to run the task as and when I change the run as to the service account I get the following error:

    I can confirm the username / password combination is correct, the service account has the rights to the folder to where the powershell script is and has the correct permissions to the right group in AD for the script to successful right ok. The task schedule work fine and runs fine when using my Domain Admin account.

    Any assistance would be gratefully welcome.

    Regards

    S

    Wednesday, October 7, 2015 4:39 PM

Answers

  • Hi There

    My script is working fine as mentioned before it just wont work from a scheduled task, however I think I have found the problem. We have around 10000 user accounts in various OU and sub OU which I need to check they have been disabled the problem is that a good deal of them have the inheritance disabled so when I change add new permissions at the root they wont be apply to some of these users.

    So my new question would be how to I force the inheritance to be enable for all child objects without having to go through all 10000 manually..

    Thanks

    • Marked as answer by Mary Dong Wednesday, October 21, 2015 1:47 AM
    Tuesday, October 13, 2015 9:03 PM

All replies

  • Can't see the error but check that the user has "Allow log on locally", "Logon as a batch job" permissions on the domain controller.

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Wednesday, October 7, 2015 6:07 PM
  • The error is:

    Task Scheduler cannot apply your changes. The user account is unknown, the password is incorrect, or the user does not have permissions to modify the task.

    I can confirm the service account im trying to use is a member of the ' Logon as a batch Job ' for domain controllers

    Regards

    S



    • Edited by Stewart.N Thursday, October 8, 2015 9:46 AM
    Thursday, October 8, 2015 9:04 AM
  • Hi Stewart,

    Permissions on DCs are messy, normally you need to be a Domain Admin or higher to have good amount of rights.

    Test the same in a normal server with\without local admin rights first.


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Thursday, October 8, 2015 9:52 AM
  • Hi There

    This was my next plan to install AD on a member server and run it from there, of course it runs fine using my DA account on the DC

    For some reason it worked before then we changed the service account name and now it doesn't, so weird

    Regards

    S

    Thursday, October 8, 2015 10:03 AM
  • Hi Stewart,

    You didn't answer my question. Did you test it on a Member server without AD role installed on it.

    What is the script doing\fetching?


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Thursday, October 8, 2015 12:47 PM
  • The error is:

    Task Scheduler cannot apply your changes. The user account is unknown, the password is incorrect, or the user does not have permissions to modify the task.

    I can confirm the service account im trying to use is a member of the ' Logon as a batch Job ' for domain controllers

    Regards

    S



    Must also have "Allow logon locally" Try logging on to DC as the user and execute the task.

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    Thursday, October 8, 2015 1:03 PM
  • Hi Dave

    I cannot log onto the DC as the service account its not permitted to logon on the DC's, adding this service account to the Allow Local Logon would mean that a change management would need to be put in place and they probably wont allow it.

    My only option is to run it from a member server, and grant the service account local administrator rights. My problem is that it worked before I changed the name of the service account so something has broken in doing so

    Thanks for your suggestions so far

    Regards

    S

    Thursday, October 8, 2015 4:53 PM
  • Hi Dave

    I cannot log onto the DC as the service account its not permitted to logon on the DC's, adding this service account to the Allow Local Logon would mean that a change management would need to be put in place and they probably wont allow it.

    My only option is to run it from a member server, and grant the service account local administrator rights. My problem is that it worked before I changed the name of the service account so something has broken in doing so

    Thanks for your suggestions so far

    Regards

    S

    Ok, that's at least one of the reasons it fails. Yes the better solution is to run it from a desktop or other member server.

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Thursday, October 8, 2015 5:04 PM
  • Hi,

    What are you trying to get from the DC, is the script working if run manually.


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Friday, October 9, 2015 3:56 AM
  • Hi There

    So the script queries users within an specific OU and its sub OU's and disables any active accounts it finds, this is run daily to make sure users aren't enabled and left in the OU by mistake which would mean they would not have certain important GPO's applied.

    It wont work manually on a DC as the service account doesn't have log on rights for a DC

    Regards


    • Edited by Stewart.N Friday, October 9, 2015 8:45 AM
    Friday, October 9, 2015 7:24 AM
  • Hi Stewart,

    I don't think you need Domain Admin or Log On Rights to disable user accounts.

    Use any ordinary account with correct permissions on the OU. (Account Operators permission should do)

    Check if that account can run this in PS AD module.

    Get-ADUser -Filter 'Name -like "*"' -SearchBase "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM" | Disable-ADAccount


    Regards,

    Satyajit

    Please“Vote As Helpful” if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.


    • Edited by Satyajit321 Friday, October 9, 2015 10:33 AM
    Friday, October 9, 2015 10:33 AM
  • Hi There

    My powershell script works just fine thanks, I just need to use Task Scheduler to automatically run the task daily

    Regards

    Friday, October 9, 2015 11:36 AM
  • Hi Stewart,

    How are you scheduling the task.

    To configure a Scheduled Task in Windows.
     
    Refer to the below guide for setting it up.
    Few configuration specific to us on the task are as follows in the Actions section:
    Program/script: 
    powershell -file "C:\Scripts\IPCompare-SendEmail.ps1"
    Start in(optional):  C:\Scripts\

    This article has the xml that you can use to test.


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Saturday, October 10, 2015 5:32 PM
  • Hi There

    My script is working fine as mentioned before it just wont work from a scheduled task, however I think I have found the problem. We have around 10000 user accounts in various OU and sub OU which I need to check they have been disabled the problem is that a good deal of them have the inheritance disabled so when I change add new permissions at the root they wont be apply to some of these users.

    So my new question would be how to I force the inheritance to be enable for all child objects without having to go through all 10000 manually..

    Thanks

    • Marked as answer by Mary Dong Wednesday, October 21, 2015 1:47 AM
    Tuesday, October 13, 2015 9:03 PM
  • So my new question would be

    Better to limit one question per thread for sake of clarity. I'd start a new thread.

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, October 13, 2015 9:07 PM