Group Policy Preferences – Scheduled Task fails to apply

Group Policy Preferences – Scheduled Task fails to apply

2014-10-03
/ / /
We had a couple issues with scheduled tasks not applying when submitted as a GPP (Group Policy Preference).  We turned on tracing via local gpedit.msc (Administrative Templates > System > Group Policy > Logging and tracing).  From here we turned on the Scheduled Task logging and events were then stored in the eventvwr.msc (we also turned on tracing which stored a computer.log file here: C:\ProgramData\Group Policy\Trace)
The first error we got was:
So it can’t map between user ID’s.  It’d be nice if it told us which mapping failed, but it gives us a pretty good hint. Looking at the XML file the GPP creates (stored here:  “C:\ProgramData\Microsoft\Group Policy\History\\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml” )
We saw the following:
Everything validates.  Googling for BUILTIN\SYSTEM brought up that several people were getting the same error when using BUILTIN\SYSTEM.  Which makes some sense as “BUILTIN\SYSTEM” isn’t a real account.  We renamed it to NT AUTHORITY\SYSTEM.  This time we got a new error message:
This doesn’t tell us a whole lot of information.  What is the unexpected node? Looking again at the XML file it looked like so:
The difference that I can see:
<GroupId>NT AUTHORITY\SYSTEM</GroupId>
The SYSTEM account is NOT a group.  We changed how we selected the SYSTEM account by “Browsing” AD, going into the root of the domain, going into the Builtin OU, and selecting SYSTEM.  This populated as “NT AUTHORITY\Well-Known-Security-Id-System”.  This will fail because there is no such user account called “Well-Known-Security-Id-System”.  At this point we renamed it to “NT AUTHORITY\SYSTEM”.
Boom, GPP Scheduled task now worked without issue.  Checking the XML the difference by manually selecting the SYSTEM account changed
<GroupId>NT AUTHORITY\SYSTEM</GroupId>
To
<UserId>NT AUTHORITY\SYSTEM</UserId >
SO.
If you are having issues with your GPP Scheduled task item running as the SYSTEM account I would HIGHLY recommend you check your XML file and confirm it is set as “NT AUTHORITY\SYSTEM” and it is surrounded by UserId NOT  GroupId.

2 Comments

  1. Anonymous 2014-10-16 1:22 pm

    Thanks. Exact same issue.

    Reply
  2. john 2015-06-07 10:04 pm

    Shouldn't MS call it a bug? Why does GPEDIT fill in a name that's not resolvable?

    Anyway, thanks!

    Reply

Post a Comment

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.