[NTSysADM] RE: MBS' password expiration script

[Heaton, Joseph@Wildlife]

That's what I figured later yesterday.  Now, I'm having a new problem.   Here's 
what I did:


1)      Changed the account on the scheduled task to the normal user

2)      Figured out that logon as batch is what was required

3)      Successfully ran the scheduled task

Now, you'd think I'm golden.  But, I'm not.  The results from running the task 
this way is that only my admin accounts, and a few folks from the server team, 
are getting looked at.  However, these accounts are in different OUs.  And, our 
user accounts are in the same OU as about 200ish other people, but I'm not 
getting those in the report that I get back.

>From this point, I changed back to my admin account to run the task.  Same 
>results as above, which really doesn't make any sense.  I haven't changed 
>anything in the script from when it was working, so I'm really confused at 
>this point as to why it isn't working as it should.

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com] On 
Behalf Of Crawford, Scott
Sent: Tuesday, May 12, 2015 2:42 PM
To: ntsys...@lists.myitforum.com
Subject: [NTSysADM] RE: MBS' password expiration script

I have it running as a scheduled task and the user that the task runs as has 
the user right - "Logon as a batch job".

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Tuesday, May 12, 2015 8:56 AM
To: 'ntsys...@lists.myitforum.com'
Subject: [NTSysADM] RE: MBS' password expiration script

What rights does the normal account need on the server?  Logon locally?  Logon 
as a batch?  Logon as a service?  I'm having issues getting this to run, with 
the error saying:

Logon failure:  the user has not been granted the requested logon type at this 
computer.

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Michael B. Smith
Sent: Friday, May 01, 2015 8:14 AM
To: ntsys...@lists.myitforum.com<mailto:ntsys...@lists.myitforum.com>
Subject: [NTSysADM] RE: MBS' password expiration script

Read AD and send email. :)

I don't believe that it accesses any "sensitive" attributes. So in a normal AD, 
a normal account should be able to do it.

From: listsadmin@lists.myitforum.com<mailto:listsadmin@lists.myitforum.com> 
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Heaton, Joseph@Wildlife
Sent: Friday, May 1, 2015 11:05 AM
To: NT System Admin Issues Discussion list
Subject: [NTSysADM] MBS' password expiration script

When I set this up as a scheduled task, what privileges does the account that 
runs it need?

Joe Heaton
Enterprise Server Support
Information Technology Operations Branch
Data and Technology Division
CA Department of Fish and Wildlife
1700 9th Street, 3rd Floor
Sacramento, CA  95811
Desk:  (916) 323-1284