tl;dr: Can I use RunAs with accounts that are denied local log on and log on through remote desktop services?
I have worked through suggestions in some of the posts here, such as enabling ‘Don’t Load Run As Profiles’, checking permissions on the Repository folder, enabling Job Debugging, and using ProcMon to identify any errors but I’m not making any progress on this problem.
When setting a script to RunAs and running the script, I get the error:
Error executing job: An error occured trying to start process
'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with working directory
'D:\ProgramData\UniversalAutomation\Repository'.
Logon Failure: the user has not been granted the requested logon type at this computer.
The service account running PowerShell Universal has been granted the following rights:
- Log on as a batch job
- Log on as a service
- Adjust memory quotas for a process
- Replace a process level token
The service account to run the script has been created as a secret variable using the name format:
contoso\serviceAccount (using serviceAccount@contoso.com gives a bad username/password error).
The service account running the script has been granted Log on as a batch job.
However, all service accounts are denied local log on and log on through remote desktop services.
Using an account that has not been denied local log on and log on through remote desktop services does work, but the account has to be added to the Local Administrators group.
Product: PowerShell Universal
Version: 4.0.10