I think the default permissions of the CMD.exe file are getting you, read the KB enclosed. As I recall permissions allow RX for the interactive special group which is why it worked if you're signed in at the console. On our servers where we have ordinary users executing "batch" jobs I've setup a local group to grant read and execute.
http://support.microsoft.com/kb/867466 Mike ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, December 15, 2006 4:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: help with running a scheduled job We are trying to get a particular account to run a scheduled backup job on a server. Our results are puzzling. Here are the particulars: 2003 R2 standard server Domain account, non privileged, doesn't belong to "domain users" Added to local "backup operators" group Trying to run a system state backup job through a scheduled batch (.bat) file File permissions appear to be ok in file system where batch file is located. Results: When run from a remote "scheduled tasks/run" (without the user logged into the server): a scheduled job with the user's credentials specifying an "ipconfig" command works. a scheduled job with the user's credentials specifying "notepad.exe" works. a scheduled job with the user's credentials calling a batch file (.bat) which runs ntbackup.exe FAILS with (from SchedLgU.txt): "test.job" (simple.bat) 12/13/2006 5:50:08 PM ** ERROR ** Unable to start task. The specific error is: 0x80070005: Access is denied. Try using the Task page Browse button to locate the application. All the jobs run successfully from a remote "scheduled tasks/run" environment if the user is in the local administrators group. When the user is only in the local Backup Operators group, all the jobs run successfully from a remote "scheduled tasks/run" environment when this account is logged into the server/console! They can also be run successfully locally by the user. Note this same user got an "Access is denied" previously. We checked through the local security policy thinking it could be related to "User Rights assignments" or "Security Options" but did not see anything there. I think we're missing something really simple here, but it's eluding us. Any thoughts are appreciated. Mike Thommes