When setting up a task in task scheduler, our practice for over a decade is that the user who sets it up puts their domain account in the "Security Options -> When running the task, use the following user account". This has worked on Windows 2008 and later Windows 2016 server
We have long known that when running the task, the account that is set up only needed to work the first time. It seems that ever after, the task will run even if that account changes a password or if that account has an expired password. We just double-checked that against a task set up by a user who is long gone, but his account is still present in that setup.
For the very first time we ran into a problem where a task would not start. In this case, it was an active user who had set it up, but his domain account had just locked. The task would not run again until a different user account was set in the Security option.
We could probably run some of these tasks as SYSTEM or SERVICE, since they only need to update a log file locally and run queries or JSON requests over the network using other credentials, not the user.
The question is, why can expired password users work in the security setup, but not locked password users?