Well, if you're running the task as System then only the computer account needs access to the mapped drive. From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Randy Benson Sent: Monday, May 21, 2007 5:35 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: disable Integrated Windows Authentication in IE6 w/ GP Thanks Darren: No the backup is local -- a batch file zips the backup and moves it to an off-DC mapped drive, using wzzip.exe, the command line version of winzip. I just added NETWORK and NETWORK SERVICE with full permissions to the security tab on the mapped network drive (SYSTEM was already there) and it seems to be working -- I reset the scheduled start time for 1 minute in the future and it's running now. Have I overdone it? Do NETWORK and/or NETWORK SERVICE need these permissions? TIA, Randy _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Monday, May 21, 2007 5:05 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: disable Integrated Windows Authentication in IE6 w/ GP Randy- System is the most privileged account on Windows, so you don't need to do anything explicit. However, if the process running in Task Scheduler needs to access resources off the box, then that resource needs to grant the computer's account the appropriate permissions, since System acts on behalf of the computer's account when it accesses remote resources. And, System has no password. darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Randy Benson Sent: Monday, May 21, 2007 5:00 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: disable Integrated Windows Authentication in IE6 w/ GP Thanks Jamie, I'll try that tonight and report back... Questions: What rights does SYSTEM need (that it doesn't have by default) to run NTBACKUP? The SYSTEM account is a GROUP for permission purposes, right? Do I leave the password blank when I change the account to SYSTEM? Thanks again, Randy _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Contr 72 CS/SCBAF Sent: Monday, May 21, 2007 12:38 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: disable Integrated Windows Authentication in IE6 w/ GP Have you tried running the task with the SYSTEM account and then giving the computer rights to wherever it needs to copy the file to? That is easier anyway because you don't have to go around updating every scheduled task each time you change your password. //signed// Jamie R Nelson Systems Engineer Ingenium Corporation _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Randy Benson Sent: Monday, May 21, 2007 2:33 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] disable Integrated Windows Authentication in IE6 w/ GP On a W2k3 domain controller I have a scheduled task that invokes a batch file to zip an existing .bkf file and move it to off-server storage. The task is set to run under my domain admin credentials, but fails to start with no errors in the event log and "Could not start" in the Scheduled Task's status line. While googling on "integrated windows authentication" + scheduled, I hit on a thread in microsoft.public.windows.server.security titled "Scheduled Tasks - Strange Permissions Issue" that seems to have cured the problem by disabling IWA in Internet Explorer(!) Options ->Advanced -> Enable IWA on the DC. However, I'm worried that this is not a good solution as Roger Abell pointed out - that is, "the issue is still sitting there waiting to foul up an NTLM based Windows integrated (re)login attempt"; My question is: Is there something I can tweak in my DC GP to allow scheduled tasks to run with IWA enabled? TIA, Randy Benson W. R. BENSON & ASSOCIATES Los Angeles, CA USA