Windows Server

How to configure log on as a batch job permissions on any server

Server permission settings

Log on as a batch job. This security setting allows a user to be logged on by means of a batch-queue facility and is provided only for compatibility with older versions of Windows. For example, when a user submits a job by means of the task scheduler, the task scheduler logs that user on as a batch user rather than as an interactive user. Default: Administrators and Backup Operators. Please visit the following links for more on Group Policy Objects and GPO. To learn more about these switches, see “All about GPUpdate Switches: GPUpdate vs GPUpdate /force“, what is Registry Editor and how to access the registry hives, and how to search through Windows Registry, what is Registry Editor and how to access the registry hives and how to search through Windows Registry.

I needed to grant an MBAM read only server "MBAM-RO-SVC" logon as a batch job permission and because of this, I decided to create this article for you to benefit from it. This is an MBAM Read-only service account which will have access to the reports area of the Administration and Monitoring Website.

Configure log on as a batch job permissions on any server

To do this, search for the “secpol.msc” from the windows search as shown below, or alternatively, launch the run dialog wizard and enter “secpol.msc” and hit ok. Regardless of the step, you chose to use, this will open the Local Security Policy console. “

Note: You can also access this from the Group Policy Management Editor dialog box, under Computer Configuration, expand Policies, Windows SettingsSecurity Settings, and Local Policies, and then click User Rights Assignment

Batch job access control

Locate the Local Policies, and then click User Rights Assignment. On the right pane of the window, double-click on log on as a batch job

Server user privileges

This will open up the Log on as a batch job Properties window. Click on Add Users or Group as shown below.

Logon rights configuration

This will open up the wizard below to select users, computers, service accounts or groups. Since we are interested in adding an MBAM service account, when I am done, I will click on OK.

Logon rights configuration

As you can see, the service account has been added. Click on Ok to close this window.


As you can see the policy has been configured and that is all that needs to be done.


I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x