Thoughts from the EPS Windows Server Performance Team
Useful Microsoft Blogs
Good morning AskPerf! Kapil Patry here from the Microsoft Platforms Support Team. I am blogging today about an issue I recently worked. This particular issue dealt with the creation of a task using Task Scheduler on a Windows 2008 R2 Server (can occur on Windows 7 as well). When I attempted to create a scheduled task, the following error appeared:
An error has occurred for the task <task name>. Error message: The following error was reported: A specified logon session does not exist. It may have already been terminated..
This error came up whether I was logged on as a Local Administrator, Domain Administrator, or any other user that had rights to log on locally.
After extensive research, I found that the above error will only occur if the following Security Policy is enabled and you select the “Run whether user is logged on or not” Security option on the General tab, when creating a new task:
SECPOL.MSC | Security Settings | Local Policies | Security Options
Network access: Do not allow storage of passwords and credentials for network authentication
To resolve this issue, simply Set this policy to Disabled:
The new version of Task Scheduler (Windows Vista onwards) uses Windows Credential Manager to store the credentials of the account that is specified to perform a task. If the Network access: Do not allow storage of passwords and credentials for network authentication policy is enabled and applied, Credential Manager cannot store the credentials locally, thus this error message appears.
NOTE you will not receive this error if the “Run only when user is logged on” Security option on the General tab is selected (we do not store passwords in this scenario).
This would be a better article if it explained how to access the "Local Group Policy Editor".
Added. Hope that helps Jeff!
Hey guys thanks for posting this is there any way to run a schedule task in Windows 7 without enabling the local security policy "Network access: Do not allow storage of passwords and credentials for network authentication". I would really appreciate it if anyone can help
@William: Yes, you can run Scheduled Tasks fine with that policy Enabled or Disabled. The caveat is, if this Policy is Enabled, then scheduled tasks will "Run only when user is logged on". If the Policy is Disabled, then you can "Run whether user is logged on or not". If passwords are not saved, then there is no way to run the task when a user is not logged on.
Any word on the security concerns here? DoD requires that GPO enabled. This has been since Windows 2000. I wonder if the new task scheduler has improve security and the DoD can be convinced with documentation that Win7 and 2008 have improved security where this GPO setting can be diabled?
How to open the "Local Group Policy Editor"
1. click Run, type gpedit.msc, and then click OK.
2.Under Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then expand Security Options.
3.In the Policy pane, right-click Network access: Do not allow storage of credentials or .NET Passports for network authentication, click Properties, click Disabled, and then click OK.
Good quick solution
If this policy is a Global Policy and there is no option to disable it, what options are available to somehow override the Global Policy and allow the creation of a scheduled task where the credentials need to be stored?
@Calvin: You will not be able to store passwords with this policy enabled. There is no way around this that I have found.
Perfect - fixed my issue immediately!
Thank you. This has really helped me
Thanks a Lot for posting this.... This helped to fix the problem
This is causing a few headaches for anyone involved in audit - struggling to find any documentation that would back up from a security perspective that it is ok to now disable this policy.
From a security perspective, one could think the if Windows 2003 scheduled tasks contained saved credentials, the same would apply to Windows 2008 and an exception would be feasible. Especially if the scheduled task is mission critical.
What else would you have to be changed if you wanted this parameter to work only for one specific user (let's say, a non-admin user, needing to run a task)?