Windows Server 2012 R2 Task Scheduler access denied (0x80070005), but command works manually in shell

2

I have the following problem. On our Windows Server 2012 R2 is a scheduled task which calls a batch file, which in return calls vb scripts.

Those scripts just download 5 pictures and stores them into a folder under a specified name. If I call the bat directly via command line, it works like a charm but with the scheduler I get following information.

It saves the files in the same partition where the script is located. Just in another folder where the user also has access, because he is added to the admin group.

Event Information: Event-ID: 201  ResultCode 2147943645 successfully completed

The ResultCode seems to match the following access denied message.

Result of the last execution: Access denied 0x80070005

My researches lead me to try some config changes.

  • Run the task in the Schedule with highes rivileges -> same error

  • Change the security for %windir%/system32/cmd.exe -> user already in the admin group

  • Remove " from start in -> there is nothing, also adding the folder, where the script is located doesn't change anything

Thank you in advance for any hint, question, information to this problem.

windows
windows-server-2012-r2
permissions
batch-file
asked on Server Fault Jan 11, 2017 by Sven Bamberger • edited May 25, 2018 by SturdyErde

2 Answers

0

I think that should check Task Security Context of your schedulled task.

Do you have store user's password in the task?

The error can be caused by lack of network access.

answered on Server Fault Jan 11, 2017 by Slipeer
0

You most likely need to grant the "Log on as batch job" system privilege to the service account that you are using to run the scheduled task.

(You are not running the scheduled task with your own personal credentials, right?)

From TechNet's description:

Allows a user to be logged on by means of a batch-queue facility. For example, when a user submits a job by means of the task scheduler, the task scheduler logs that user on as a batch user rather than as an interactive user.

By default, only the LocalSystem account has the privilege to be logged on as a batch job.

This can be set in a domain GPO or in a local GPO, both in the following location: 

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

To confirm the source of the "Access denied" failure, you should check the Windows Security log in Event Viewer. Filter the log to only show Audit Failures, and then search for the last time that you attempted to run your scheduled task.

answered on Server Fault Jan 11, 2017 by SturdyErde

User contributions licensed under CC BY-SA 3.0