Log On as Batch Job Rights: How to Grant Access

Tue, 06/18/2019 - 17:35 By Dave Brooks
Admin logging in to her computer

What is "Logon as Batch job"?

This article concerns itself with the following error message:

"Logon failure: the user has not been granted the requested logon type at this computer."

The short version

Here's a simple outline of the problem.

  1. A Windows service on your computer has nearly unlimited access to your local computer.
  2. By default, Windows prevents that service from having access to your local network.
  3. Not being able to access the network becomes a problem if you need to access shared printers and file systems.
  4. For that reason, Windows provides "Logon as Batch job" to grant access to a single logged-in user within a service process.

The long version

Here's the more extended version of the problem, including the step by step to fix it.

RPM Remote Print Manager® ("RPM") is a Windows system service. Like any other service, it has special permissions on your local machine.

For security reasons, Microsoft decided to prevent Windows services from working the same way on the network. So, for example, RPM can't use shared printers or shared folders directly because they are on your network, not your local computer.

On the other hand, a typical logged-in user can easily use shared printers and folders. You have this right as part of your user profile.

A service like RPM gets around this by impersonating a logged-in user while printing or opening a file. That's one of the permissions that a service program has. So when you configure an action to use a regular user's login credentials for the printer or folder, you accomplish that by using the RPM user interface.

The second requirement is that this user must have "Logon as batch job" permissions in their profile. Setting this permission keeps a hacker from maliciously creating user accounts to do whatever it wants. Only an admin, logged in, can assign this permission to a user profile.

To summarize, here is a chart that presents the problem:

User Permissions
Windows service Can use local printers and folders
Logged-in users Can use local and shared printers and folder
Impersonated users Must have "logon as batch job" set in the profile

How we first encountered this problem

Let's set up this scenario. The customer used RPM with an "Archive to folder" action using a domain service account to write files to folders on a network share. The user account has the correct credentials.

When the user next processes a print job using this action, they get the following error.

"Error 1385 - Logon failure: the user has not been granted the requested logon type at this computer."

The reason we had never encountered this error is this. When I wrote and tested this function in RPM, I used my login account (since we don't share passwords around in the company). My regular user profile has "Logon as Batch Job" because I'm one of the admin users.

A typical user would not have that; hence, the error.

How to solve the "Logon as Batch job" issue

These instructions assume you are using Windows 10 or comparable.

  1. Go to the lower left of your home screen so the search bar appears.
  2. As shown in the example below, type in "secpol.msc" indicated by the red arrow.
  3. Don't hit Enter yet; look for the menu to appear. Notice the four options to the right; you want the highlighted option "Run as administrator"

    Running secpol as admin

  4. In the "Local Security Policy" app, go to Security Settings / Local Policies / User Rights Administration. These are collapsing menus you open by clicking the ">" arrow, one at a time.
  5. Scroll down to "Log on as a batch job" and double click on that entry

    log on as batch job rights location

The "Select Users" form is where you would add the user you have configured for the RPM archive to the shared folder operation.

Note that I have put myself in this form: BROOKS\Dave

However, you might have noticed that the security policy already includes that user. If you were adding a user, you would do that here.

Selecting users to have permission for batch jobs

It won't hurt anything to click "Check Names" if you have never done this before. Chances are, if you entered the domain and username correctly, you wouldn't have a problem.

A note on interactive processes

We've talked about a Windows service using "Logon as Batch" to access shared printers and folders. 

A Windows service can also run a process interactively. For instance, we can start up Notepad on your plain-text print job, if that's what you want.

We'd like to advise you of two issues:

  1. Of course, you have to configure RPM to run your filter program this way. You will need to provide login credentials and also select the setting "Interact with Desktop" which is right below the Credentials, at the top of the Filter Action dialog.
  2. RPM will only launch your interactive program when that user is logged in. RPM tracks user logins and logouts for that reason.

Why RPM needs "Logon as Batch Job"

RPM Remote Print Manager uses Logon as Batch Job

RPM is a print server software and a virtual printer with the ability to process print jobs as a specific Windows user. As you well know, sometimes the permissions make this necessary; for instance, if you want to

  • write to a shared folder
  • print a shared printer
  • run a program interactively.

We are pleased to make this page available to you. Helping our users makes us all successful, and we're happy to share this information with the community.

If you need a print server or virtual printer, please download the free trial today! And best of luck with your "log on as batch" issues from here on out.