Thursday, January 20, 2011

Is it possible for a Scheduled Task to run as NETWORK SERVICE?

It is quite simple to set up a task to run as a SYSTEM, but when setting it to NETWORK SERVICE it show "Access is denied" error message.

Is there any way to get this working? (The problem is that I don't want to create a new domain user for that task and I need to access a remote share from this task.)

From serverfault Regent

  • Try adding the "Log on as a service" right to the network service account. Detailed instructions here.

    Regent : Nope. It was already listed in "Log on as a service", and adding to "Log on as a service" didn't helped too.
    From Matt

  • I tried doing this several ways, but now I don't think it's possible. I'd be glad to stand corrected on this, but I tried everything I could think of, including adding NETWORK SERVICE to Administrators, tweaking all sorts of Local Security Policy settings, etc.

    When I enable auditing, I get this:

    Event Type:     Failure Audit
Event Source:   Security
Event Category: Account Logon 
Event ID:       680
Date:           02/03/2010
Time:           8:49:53 PM
User:           NT AUTHORITY\SYSTEM
Computer:       RESULTANT
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:  NETWORK SERVICE
 Source Workstation: RESULTANT
 Error Code: 0xC0000064

Event Type:     Failure Audit
Event Source:   Security
Event Category: Logon/Logoff 
Event ID:       529
Date:           02/03/2010
Time:           8:49:53 PM
User:           NT AUTHORITY\SYSTEM
Computer:       RESULTANT
Description:
Logon Failure:
     Reason:        Unknown user name or bad password
     User Name:     NETWORK SERVICE
     Domain:        NT AUTHORITY
     Logon Type:    4
     Logon Process: Advapi  
     Authentication Package: Negotiate
     Workstation Name:       RESULTANT

    0xC0000064 decodes to NO_SUCH_USER. That's a bit silly, considering that I entered only network service – how did it know that the account that failed was in NT AUTHORITY?

    When I enter an invalid username, I don't even see the authentication attempt at all. So clearly something agrees that NETWORK SERVICE is an actual account.

    If I botch the password for a known username (ie Administrator), I get 0xC000006A (STATUS_WRONG_PASSWORD).

    Try adding the Log on as a batch job right to NETWORK SERVICE. I think it's a silly idea; you should just bite the bullet and create a domain account…

    Regent : Sorry I mistyped in my previous comment to Matt, but I tried adding it for "Log on as a batch job" and with no luck.
    From fission
Posted by Mu Cat at 6:57 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)