What is "Logon as Batch job"?
This article concerns itself with the following error message:
"Logon failure: the user has not been granted the requested logon type at this computer."
The short version
Here's a simple outline of the problem.
- A Windows service on your computer has nearly unlimited access to your local computer.
- By default, Windows prevents that service from having access to your local network.
- If you need to provide access to shared resources, to a service, then you need a workaround to issue #2; examples would be shared printers and folders
- For that reason, Windows provides "Logon as Batch job" to grant access to a single logged-in user within a service process.
The long version
Here's the more extended version of the problem, including the step-by-step to fix it.
RPM Remote Print Manager® ("RPM") is a Windows system service. Like any other service, it has special permissions on your local machine.
For security reasons, Microsoft decided to prevent Windows services from working the same way on the network. So, for example, RPM can't use shared printers or shared folders directly because they are on your network, not your local computer.
On the other hand, a typical logged-in user can easily use shared printers and folders. You have this right as part of your user profile.
A service like RPM gets around this by impersonating a logged-in user while printing or accessing a file. A service program can impersonate a logged-in user on that computer system, or network. So when you configure an action to use a regular user's login credentials for the printer or folder, you accomplish that by using RPM user interface.
The second requirement is that this user must have Logon as batch job permissions in their profile. Setting this permission keeps a hacker from maliciously creating user accounts to do whatever they want. Only an admin, logged in, can assign this permission to a user profile.
To summarize, here is a chart that presents the problem:
User | Permissions |
---|---|
Windows service | Can use local printers and folders |
Logged-in users | Can use local and shared printers and folder |
Impersonated users | Must have "logon as batch job" set in the profile |
How we first encountered this problem
Let's set up this scenario. The customer used RPM with an "Archive to folder" action using a domain service account to write files to folders on a network share. The user account has the correct credentials.
When the user next processes a print job using this action, they get the following error.
"Error 1385 - Logon failure: the user has not been granted the requested logon type at this computer."
The reason we had never encountered this error is this. When I wrote and tested this function in RPM, I used my login account (since we don't share passwords in the company). My regular user profile has "Logon as Batch Job" because I'm one of the admin users.
A typical user would not have that; hence, the error.
How to solve the "Logon as Batch job" issue
The starting point for this procedure is slightly different between Windows 11 and Windows 10. I'll show you Windows 11 first, then Windows 10.
The remaining steps are identical to the point where I couldn't tell the difference on my Windows 11 system, so I'll leave that part alone to avoid more confusion.
On Windows 11:
- Go to the lower left of your home screen so the search bar appears.
- As shown in the example below, type in "secpol.msc" indicated by the red arrow.
- Don't hit Enter yet; look for the menu to appear. Notice the four options to the right; you want the highlighted option "Run as administrator"
- In the "Local Security Policy" app, go to Security Settings / Local Policies / User Rights Administration. These are collapsing menus you open by clicking the ">" arrow, one at a time.
- Scroll down to "Log on as a batch job" and double-click on that entry
The "Select Users" form is where you would add the user you have configured for the RPM archive to the shared folder operation.
Note that I have put myself in this form: BROOKS\Dave
However, you might have noticed that the security policy already includes that user. If you were adding a user, you would do that here.
It won't hurt to click "Check Names" if you have never done this before. If you entered the domain and username correctly, you shouldn't have a problem.
A note on interactive processes
We've talked about a Windows service using "Logon as Batch" to access shared printers and folders.
A Windows service can also run a process interactively. For instance, we can start up Notepad on your plain-text print job, if that's what you want.
We must advise you of two issues:
- Of course, you have to configure RPM to run your filter program this way. You will need to provide login credentials and also select the setting "Interact with Desktop" which is right below the Credentials, at the top of the Filter Action dialog.
- RPM will only launch your interactive program when that user is logged in. RPM tracks user logins and logouts for that reason.
Why RPM needs "Logon as Batch Job"
RPM is a print server software and a virtual printer that can process print jobs as a specific Windows user. As you well know, sometimes the permissions make this necessary; for instance, if you want to
- write to a shared folder
- print a shared printer
- run a program interactively.
We are pleased to make this page available to you. Helping our users makes us all successful, and we're happy to share this information with the community.
If you need a print server or virtual printer, please download the free trial today! And best of luck with your "log on as batch" issues from here on out.