You configure the following User Group Policy Preference (GPP) item in a Windows 2008 / 2008 R2 based Active Directory Domain.Â
- User Configuration\Preferences\Control Panel Settings\Scheduled Tasks\New\"Scheduled Task (Windows Vista and later)"
- Under the Common Settings tab, select option "Run in logged-on user’s security context (user policy option)â€.
After the Group Policy is applied to a user, you find that the preference item does not take effect. Additionally, you see the following event log in the Application log:Â
Event ID: 4098
Event Source: Group Policy Scheduled Tasks
Event Type: Warning
Event Description: The user '<GPP item name>' preference item in the '<GPO name> <GPO GUID>' Group Policy object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.
Additionally if you enable Group Policy tracing for GPP Scheduled Tasks Client Side Extension you will see the following logged in the GPPÂ User log file:
2010-10-12 09:59:01.337 [pid=0x3a0,tid=0x8c8] Starting class <TaskV2> - <GPP item name>.
2010-10-12 09:59:01.337 [pid=0x3a0,tid=0x8c8] Set user security context.
2010-10-12 09:59:01.337 [pid=0x3a0,tid=0x8c8] Adding child elements to RSOP.
2010-10-12 09:59:01.352 [pid=0x3a0,tid=0x8c8] WorkItem.Init [ hr = 0x80070005 "Access is denied." ]
2010-10-12 09:59:01.352 [pid=0x3a0,tid=0x8c8] Properties handled. [ hr = 0x80070005 "Access is denied." ]
2010-10-12 09:59:01.352 [pid=0x3a0,tid=0x8c8] Set system security context.
2010-10-12 09:59:01.540 [pid=0x3a0,tid=0x8c8] EVENT : The user '<GPP item name>' preference item in the '<GPO name> {GPO GUID}' Group Policy object did not apply because it failed with error code '0x80070005 Access is denied.'%100790273
2010-10-12 09:59:01.540 [pid=0x3a0,tid=0x8c8] Error suppressed. [ hr = 0x80070005 "Access is denied." ]
2010-10-12 09:59:01.540 [pid=0x3a0,tid=0x8c8] Completed class <TaskV2> - <GPP item name>.
2010-10-12 09:59:01.540 [pid=0x3a0,tid=0x8c8] Completed class <ScheduledTasks>.
You can enable GPP tracing through group policy:
Computer Configuration\Policies\Administrative Templates\System\Group Policy\Logging and Tracing\Configure Schedulled Tasks preference logging and tracing
When configured, the log file will be created in:
%SystemDrive%\ProgramData\GroupPolicy\Preference\Trace\User.log
The User GPP Scheduled Tasks item was not designed to run under the currently logged on users security context AND must be applied in the default system security context.Â
To avoid this issue, do not enable the "
Run in logged-on user’s security context (user policy option)†Common option when configuring user GPP Scheduled Tasks items.
The security context under which the Scheduled Task will run once it has been deployed can be specified in the General settings tab when creating the User GPP Scheduled Task item:
User Configuration\Preferences\Control Panel Settings\Scheduled Tasks\New\"Scheduled Task (Windows Vista and later)"
General:
Security Options -> "When running the task, use the following user account:"
By default, this is set to: %LogonDomain%\%LogonUser%
This is where the security context under which the scheduled task will run should be configured.
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See
Terms of Use
(http://go.microsoft.com/fwlink/?LinkId=151500)
for other considerations.