How to configure log on as a batch job permissions on any server

Log on as a batch job. This security setting allows a user to be logged on by means of a batch-queue facility and is provided only for compatibility with older versions of Windows. For example, when a user submits a job by means of the task scheduler, the task scheduler logs that user on as a batch user rather than as an interactive user. Default: Administrators and Backup Operators. Please visit the following links for more on Group Policy Objects and GPO. In this article, we shall discuss how to configure log on as a batch job permissions on any server.

I needed to grant an MBAM read only server "MBAM-RO-SVC" logon as a batch job permission and because of this, I decided to create this article for you to benefit from it. This is an MBAM Read-only service account which will have access to the reports area of the Administration and Monitoring Website.

You may need to configure “log on as a batch job” because the task scheduler job needs to run regardless of whether a user is logged on or runs in the background without opening a user session.

To learn more about these switches, see “All about GPUpdate Switches: GPUpdate vs GPUpdate /force“, what is Registry Editor and how to access the registry hives, and how to search through Windows Registry, what is Registry Editor and how to access the registry hives and how to search through Windows Registry.

Why do we need this settings configured?

As a result, the account used must be enforced or required for interactive logon, and this configuration is necessary. Please take a look at this link for more information.

For Scheduled Task as shown below, the scheduled task requires the “Log on as a batch job” right for a service account because this permission allows the account to run tasks in the background without interactive logon, which is essential for executing scheduled tasks.

In the context of MBAM, The Log on as a batch job permission is required for the IIS account in MBAM (Microsoft BitLocker Administration and Monitoring) setup because it allows background processes to run under a specific account without requiring interactive logon. This is essential for web applications and services that need to execute automated tasks such as encryption key management and reporting.

During MBAM setup, IIS hosts web applications that facilitate BitLocker administration, including self-service portals and monitoring tools. These applications often rely on scheduled tasks or background processes to function correctly. And granting the IIS account the Log on as a batch job right ensures that these tasks can run securely and efficiently.

Please see Unable to run downloaded Programs due to Defender SmartScreen, how to retrieve Recent Windows Update: How to create batch script files, and how to Manage Microsoft Defender Antivirus with Argon ACMP.

Configure log on as a batch job permissions on any server

To fix this, search for the “secpol.msc” from the windows search as shown below. Alternatively, launch the run dialog wizard and enter “secpol.msc” and hit ok. Regardless of the step, you chose to use, this will open the Local Security Policy console. “

Note: You can also access this from the Group Policy Management Editor dialog box, under Computer Configuration, expand Policies, Windows Settings, Security Settings, and Local Policies, and then click User Rights Assignment

Batch job access control — If you configure the Log on as a batch job setting using domain-based Group Policy settings. The computer cannot assign the user right to accounts used for scheduled jobs in the Task Scheduler.

Locate the Local Policies, and then click User Rights Assignment. On the right pane of the window, double-click on log on as a batch job

This will open up the Log on as a batch job Properties window. Click on Add Users or Group as shown below.

Note: When the log on as a batch job is grayed out, ensure to add your account as a member of the local administrator group on the PC.

This will open up the wizard below to select users, computers, service accounts or groups. Here is how to fix “Error 1385: The user has not been granted the requested logon type at this time“.

Since we are interested in adding an MBAM service account, when I am done, I will click on OK.

As you can see, the service account has been added. Click on Ok to close this window.

As you can see the policy has been configured and that is all that needs to be done.

Please, see Batch rename multiple files on Windows. Also, see the different Windows Logon Types, and how to Fix missing path and delete a Veeam Backup Repository.

FAQs

Why does my Scheduled Task succeed for .txt files but fail for .pdf, .png, or modifying spaces in a .csv file, even with modify rights and inherited folder permissions?

This is because the non-admin account lacks elevated privileges or access to specific apps or system components required to handle .pdf, .png, or .csv operations. Tasks run successfully under local admin accounts due to broader permissions and elevated access.

Why does a Scheduled Task require the “Log on as a batch job” right for a service account?

The “Log on as a batch job” right allows the service account to run tasks in the background without interactive logon.

I hope you found this blog post helpful on how to configure log on as a batch job permissions on any server. If you have any questions, please let me know in the comment session.