Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 8417 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

The user has not been granted the requested logon type at this computer

CWatson-TTS

I am trying to push out the Sophos Anti-virus to our workstations through the Enterprise console and I come across the following error in the computer details page. "Could not start installation program on the computer: Logon failure: the user has not been granted the requested logon type at this computer".

I am using Enterprise Console 4.7 and am trying to deploy to Windows 7 32bit workstations.

The machines are imported into EC through Active Directory, and I am trying to push out the application using the credentials of one of our Domain Admin accounts. Using the Protect Computers wizard with these credentials gives this error. At first it looks like its trying, as it gives a green down arrow on the computer icon then fails with the error.

It is important to note that I can deploy the application without any errors to the machines when the endpoints are physically logged on with the same Domain Admin account that I am trying to deploy with. It is only when the machines are not logged in at the CTRL-ALT-DEL screen or whether another generic user is logged in that the deployment fails.

So in short to deploy Anti-Virus to the endpoints, I first have to log them all on with the domain admins account that I will enter into the Protect Computers wizard and cannot deploy if they are not logged in or someone else is.

This must be a permission setting or something somewhere, any help would be most appreciated in pointing me in the right direction though.

:16905


This thread was automatically locked due to age.
  • 0

    Hi,

    If you monitor the scheduled task on the remote machine, does it get created?  The management service on the server essentially just creates a scheduled task to run setup.exe from the CID with the necessary command line switches (http://www.sophos.com/support/knowledgebase/article/12570.html ).


    One thing you could try if you're running SEC 4.7 is to create a new registry key on the management server:

    DWORD

    EnableTaskScheduler2

    1

    under: 

    HKEY_LOCAL_MACHINE\SOFTWARE[wow6432node]\Sophos\EE\

    If you set that an re-protect does that help?

    Regards,

    Jak

    :16933
  • 0

    Hi

    I have tried your suggestion of putting in the reg entry and pushing an install.

    This still errors but returns a different error description in the enterprise console: " Could not start installation program on the computer. The system cannot find the file specified. "

    I could see the task being created in the scheduler console on the endpoint and failing with the following error:

    Task Scheduler failed to start "\Sophos_InstTask" task for user "OURDOMAIN\adminuser". Additional Data: Error Value: 2147943785.

    :16945
  • 0

    Hello CWatson-TTS ,

    the error value is 0x80070569 (Login failure: the user has not been granted the requested logon type at this computer ). The most common cause is that the task account doesn’’’’t have "logon as a batch job" privilege.

    Christian

    :16947
  • 0

    Hi QC.

    Could anyone enlighten me on how I change the "logon as a batch job" privilege so it does?

    Cheers

    :16949
  • 0

    how I change the "logon as a batch job" privilege

    GPO or local security policy: Security Settings -> Local Policies -> User Rights Assignments

    Note there is a Deny logon as a batch job and a Log on as a batch job policy.

    Christian

    :16953
  • 0

    Thanks QC

    Had to add the user I was using to install to the "logon as batch job" policy entry. Went to do it on the local machine but it was greyed out and realised it was a GPO managed entry, added the user, rebooted the machines to pick up the updated policy, tried pushing the AV to the endpoint and they popped in nicely.

    Thanks again. :smileyhappy:

    :16973