Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, December 28, 2012 2:27 PM
Hello,
I have a Windows 2008 domain. I have a domain user that I would like to use to run a Scheduled Task. The task runs a batch file which restarts the DNS service on the DC.
What permissions do I need to give the user?
I'm currently receiving the operational code (2) so I believe it's a permissions issue.
Thank you in advance!
Regards,
Terry
All replies (4)
Friday, December 28, 2012 7:56 PM ✅Answered
tbrothers wrote:
Hello,
I have a Windows 2008 domain. I have a domain user that I would like
to use to run a Scheduled Task. The task runs a batch file which
restarts the DNS service on the DC.What permissions do I need to give the user?
I'm currently receiving the operational code (2) so I believe it's a
permissions issue.Thank you in advance!
Regards,
Terry
Normally those permissions are only granted members of the
administrators group for the server, which is at the domain level the
domain admins group. But you could use a native account like SYSTEM,
too.
Or you add permissions
a) for starting services and b) for running a batch job
to the user, you want to use for this job explicitly, via the security
policy for the server.
Wolfgang
Saturday, December 29, 2012 6:22 PM ✅Answered | 1 vote
You can edit the local policy or Group policy for that machine. The settings are located in:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a batch job
"Description
Allows a user to be logged on by means of a batch-queue facility.
For example, when a user submits a job by means of the task scheduler, the task scheduler logs that user on as a batch user rather than as an interactive user.
This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
*By default, only the * LocalSystem account has the privilege to be logged on as a batch job."
http://technet.microsoft.com/en-us/library/cc755659(v=ws.10).aspx
...
Monday, December 31, 2012 6:08 AM ✅Answered
Hi Terry,
By default, DNS Server Service logs on as Local System account and DNS Client Service logs on as Network Service account.
However, these accounts are Windows built-in accounts and we cannot manage them manually. Instead, we can use administrator account to manage the above two services.
If we would like a standard user to run a privileged task, we can try the following settings:
Hope this helps.
Jeremy Wu
TechNet Community Support
Friday, December 28, 2012 7:44 PM
I have it working but I had to add the user to the Administrators group. But I don't like giving more permissions than are required. There has to be a better solution ... I hope!
Terry