PowerShell errors using service accounts - VisualCron - Forum

Community forum

mburza
2020-09-03T20:44:33Z
I'm working on a project to migrate several PowerShell scripts off of a generic server (using Task Scheduler) to VisualCron. These scripts are calling Robocopy to back up files from a PC to a network share, and save a log file of the results to another folder on that same network share. On the Task Scheduler server, these tasks are running as a specific service account, depending on the workstation or system that is being backed up. These same service account credentials have been added into VisualCron's managed credentials. Everything is duplicated as VisualCron jobs, and the exact same PowerShell scripts have been copied and pasted into VC PowerShell tasks. These scripts are still running on the Task Scheduler server (without issues) because I'm seeing errors when trying to run them in VC.

These PowerShell tasks fail within VC when using the respective service account. The error output states:

"Cannot find path '\\SERVERNAME\backupfolder' because it does not exist."

The detailed Robocopy error output also notes that:

"ERROR 1329 (0x00000531) Opening Log File \\SERVERNAME\backupfolder\LOGS\logfile.txt
This user isn't allowed to sign in to this computer."

Like I mentioned above, these service accounts are running the PowerShell scripts fine from the Task Scheduler server. I even double-checked the permissions on the backup server \\SERVERNAME, and the service account is properly authorized (otherwise these scripts couldn't run from the old server).

However, I've also tested by running the VC jobs with my personal admin credentials (which also has permissions to these same network shares and workstations), and the jobs run fine! No error output, and log file is created on the remote backup share.

I'm not sure where to continue troubleshooting. Is there any special permissions that should be set for these service accounts on the actual VC server?
bweston
2020-09-04T16:20:55Z
Check your Local Login and Load Profile settings on the credentials, and try checking, for example, $env.USERNAME and test-path $wherever in a simple powershell task with the different credentials.

I always get mixed up about which kinds of behavior require which checkboxes - partly because Visualcron will often warn me I probably want Load Profile when a task works fine without it - but I've definitely had cases where it was important to have the right combination, and I think something similar to this was one of them.
mburza
2020-09-08T15:49:56Z
I will try the simple PowerShell script idea.

I should have noted in my original post that we did try playing with Local Login/Load Profile options. That's actually what led to finding out the job runs successfully with my personal admin account, with these two options unchecked.

The service account has these options unchecked when I receive the errors noted in my OP.

If I have these options Checked on the service account, I get a different error:

"Unhandled error when trying to start process: (1327)Account restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforcedCurrentProcess is null"
mburza
2020-09-08T19:29:42Z
I was able to try out some of these simple PowerShell commands through VC.

Having the PowerShell job running as either my admin account or the service account, the output for the Username check is "NT AUTHORITY\SYSTEM".

Next, running test-path "\\networkshare\folder" returns TRUE for my admin account, and FALSE for the service account, with the Local Login/Load Profile options unchecked for both.

Checking/enabling the Local Login/Load Profile options results in the "Unhandled error when trying to start process: (1327)" error. I also tried checking Local Login but leaving Load Profile unchecked, despite VC warning against this option. This resulted in in the FALSE output, and did not error.
Scroll to Top