Log on as a batch job
Updated: May 8, 2013
Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Vista
This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for this policy setting.
Reference
This policy setting determines which accounts can log on by using a batch-queue tool such as the Task Scheduler service. When an administrator uses the Add Scheduled Task Wizard to schedule a task to run under a particular user name and password, that user is automatically assigned the Log on as a batch job user right. When the scheduled time arrives, the Task Scheduler service logs on the user as a batch job instead of as an interactive user, and the task runs in the user's security context.
This policy setting is provides compatibility with older versions of Windows.
This policy setting is supported on versions of Windows that are designated in the Applies To list.
Constant: SeBatchLogonRight
Possible values
User-defined list of accounts
Default values
Not Defined
Best practices
- Use discretion when assigning this right to specific users for security reasons. The default settings are sufficient in most cases.
Location
GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
Default values
By default, this setting is for Administrators, Backup Operators, and Performance Log Users on domain controllers and on stand-alone servers.
The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
Server type or GPO | Default value |
---|---|
Default Domain Policy |
Not defined |
Default Domain Controller Policy |
Administrators Backup Operators Performance Log Users |
Stand-Alone Server Default Settings |
Administrators Backup Operators Performance Log Users |
Domain Controller Effective Default Settings |
Administrators Backup Operators Performance Log Users |
Member Server Effective Default Settings |
Administrators Backup Operators Performance Log Users |
Client Computer Effective Default Settings |
Administrators |
Operating system version differences
In Windows Server 2008 R2, the Performance Log Users group was added as a default group for this policy setting. No other changes were made in the way this policy setting works between supported versions of Windows.
Policy management
This section describes features, tools, and guidance to help you manage this policy.
A restart of the computer is not required for this policy setting to be effective.
Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
Group Policy
Task Scheduler automatically grants this right when a user schedules a task. To override this behavior use the Deny log on as a batch job User Rights Assignment setting.
Group Policy settings are applied in the following order, which will overwrite settings on the local computer at the next Group Policy update:
Local policy settings
Site policy settings
Domain policy settings
OU policy settings
Security considerations
This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
Vulnerability
The Log on as a batch job user right presents a low-risk vulnerability. For most organizations, the default settings are sufficient. Members of the local Administrators group have this right by default.
Countermeasure
You should allow the computer to manage this user right automatically if you want to allow scheduled tasks to run for specific user accounts. If you do not want to use the Task Scheduler in this manner, configure the Log on as a batch job user right for only the Local Service account.
For IIS servers, you should configure this policy locally instead of through domain–based Group Policy settings so that you can ensure the local IUSR_<ComputerName> and IWAM_<ComputerName> accounts have this user right.
Potential impact
If you configure the Log on as a batch job setting by using domain-based Group Policy settings, the computer cannot assign the user right to accounts that are used for scheduled jobs in the Task Scheduler. If you install optional components such as ASP.NET or IIS, you may need to assign this user right to additional accounts that are required by those components. For example, IIS requires assignment of this user right to the IIS_WPG group and the IUSR_<ComputerName>, ASPNET, and IWAM_<ComputerName> accounts. If this user right is not assigned to this group and these accounts, IIS cannot run some COM objects that are necessary for proper functionality.