Yesterday, I was trying to automate couple of backup related tasks on a production windows 2003 server. My estimate was about an hour at max but turned out to be more than half a day’s work 😦
Windows has this little known featured called “Task Scheduler” that lets you create a batch task and schedule it. This is one feature that morphs into different shapes and gets hidden in unknown places with every release of new windows version. There is a good chance that you would have noticed this service in services applet but not the UI to invoke it.
Anyway, one good way to find this on windows 2003 is via Control Panel | Scheduled Tasks. I bet this is changed in windows 7.
Another way is to navigate to <Windows Folder>\Tasks folder in Explorer. Although this is not a real folder, you can operate as one (editing, deleting files etc).
So, I created a new task with all scheduling parameters. Since the backup program requires the user running the task to be an administrator, I specified the user to “run as” administrator with the right password. When I try to save the newly created task, I get this mysterious error although the task gets saved.
The message “Access is denied” calls out for my subconscious response of double checking the password (but I was pretty sure it was correct) and try again. No luck, the error message doesn’t go away. I don’t try to think when I see these kind of errors these days – thanks to Google. So, I fire few quick searches. Searching for “0x80070005: Access is denied” is not good enough as 0x80070005 is a generic error code like E_FAIL. So, I add some context and try again. I also tried searching for exact message. Tried searching at support.microsoft.com as their knowledge base is usually good. The search results point me to the following few solutions but said in umpteen different ways.
- Scheduling tasks doesn’t support blank passwords, so must use a non-blank password
- The permissions on <Windows Folder>\Tasks folder may have been messed up, try resetting them (CACLS TASKS /E /G builtin\administrators:F )
- Try deleting the task, restart “Task Scheduler” service and create the task again
- Reboot windows
None worked. I expected at least the last one to do the usual magic, but naah, not this time. Looking at the search results and the forum discussions, it is surprising that so many people are facing this issue since 2005 and many of them left with no solutions. Also looking at the irrelevant search results coming up in the first few pages, I wonder if google search engine is hacked badly by SEO optimizations.
I thought, I will give up and find some open source or a third party scheduling solution. Keeping google aside, I started looking at the message more carefully and trying to understand what is going wrong. Clearly, the problem is with setting the “Run as” user details because I do see the task getting created. So, I fired up “Event Viewer” and was trying to dig in for any useful information.
What catches my attention is this event:
The highlighted text brought back painful debugging memories of COM/DCOM days, trying to troubleshoot processes not having rights like “Act as part of Operating System”, “Log on as service” etc. Even though this message doesn’t specify which “Log on as” right is the problem (other than the numeral 4), I knew where to look next. I brought up the Local Security Policy Manager and started looking at the rights assignments.
I see “Log on as a batch job” and “Log on as a service” rights. Clearly, the latter cannot be the rights in question. But Administrator has both of these rights. It doesn’t make sense. And there are no other “Log on” rights to worry about. As I scroll up, I notice that there are a series of “Deny log on as …” rights.
To my surprise, Administrator is part of “Deny log on as a batch job”. Since “Deny” rights are processed before the “Allow” rights, my “Scheduled Task” creation is failing. Once I fixed this, everything started working fine.
This is a brand new instance of Windows 2003 R2 server. It is not clear to me as to why “Administrator” is not allowed, by default, to run batch jobs. It could have been added due to some exploits, but I didn’t bother to spend more time on this as it is already past midnight. I wish the error messages could have been little more detailed…