Score:0

Create a Windows Schedule Task via GPO to run as specified user

cn flag

I am trying to create a Scheduled Task via Group Policy (Computer Configuration\Preferences\Control Panel Settings\Scheduled Tasks), to run as a specified domain service account.

However, when Group Policy tries to create the task, it fails with the following error.

"Group Policy Object did not apply because it failed with error code '0x80070005 Access is denied."

Here is what the scheduled task looks like from group policy.

Schedule Task in Group Policy

The task works fine if configured on the client itself (with the svc_hpia password stored)

But the password is not requested when configuring the task via Group Policy

The Group Policy scheduled task does get added if I tell it to use the NTAUTHORITY\SYSTEM account, but this is not desirable from a security perspective.

Is there a way I can get the scheduled task to create using my specified service account?

cn flag
`But the password is not requested when configuring the task via Group Policy`. That's right. It isn't possible to store the credentials securely, so don't do this.
Score:0
cn flag

This is a GPP, right?

To avoid this issue, don't enable the Run in logged-on user's security context (user policy option) Common option when configuring user GPP Scheduled Tasks items.

Taken directly from the horse's mouth.

cn flag
If you have already tried that, try enabling the tracing, also shown in there to better troubleshoot it.
user3580480 avatar
cn flag
Thanks - I probably should have mentioned this is a Computer Policy!
cn flag
Oh, I see. You can't do that anymore. [It's not safe to store the password in GPOs](https://blogs.technet.microsoft.com/srd/2014/05/13/ms14-025-an-update-for-group-policy-preferences/). It's very easy for anyone who has access to SYSVOL (spoiler: anyone with a valid credential in your domain) to see that password. Why don't you use a Computer GPP?
Score:0
ru flag
Jan

It is impossible to pass credentials to a scheduled task inside a GPO. This is also indicated by the fact that the "Do not store password" checkbox is checked and greyed out, so you cannot change it.

This is by design due to security reasons. Although not ideal, the only solution is to scheduled it under a NTAUTHORITY if you still want to do it via GPO.

Also consider not using SYSTEM, but Local Service or Network Service if no elevated privileges on the machine are required.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.