We had a couple issues with scheduled tasks not applying when submitted as a GPP (Group Policy Preference). We turned on tracing via local gpedit.msc (Administrative Templates > System > Group Policy > Logging and tracing). From here we turned on the Scheduled Task logging and events were then stored in the eventvwr.msc (we also turned on tracing which stored a computer.log file here: C:\ProgramData\Group Policy\Trace)
The first error we got was:
2014-10-03 10:42:19.372 [pid=0x59c,tid=0x1294] No item to delete.
2014-10-03 10:42:19.372 [pid=0x59c,tid=0x1294] pWorkItemV2->Create [ hr = 0x80070534 "No mapping between account names and security IDs was done." ]
2014-10-03 10:42:19.372 [pid=0x59c,tid=0x1294] replaceTask [ hr = 0x80070534 "No mapping between account names and security IDs was done." ]
2014-10-03 10:42:19.372 [pid=0x59c,tid=0x1294] Properties handled. [ hr = 0x80070534 "No mapping between account names and security IDs was done." ]
2014-10-03 10:42:19.388 [pid=0x59c,tid=0x1294] EVENT : The computer 'AHS-Add-GlobalPrinters' preference item in the 'CTX XenApp 65 Test {E6775312-AAC0-45C3-8A1C-5F5EA46701A7}' Group Policy object did not apply because it failed with error code '0x80070534 No mapping between account names and security IDs was done.'%100790275
2014-10-03 10:42:19.388 [pid=0x59c,tid=0x1294] Completed class - AHS-Add-GlobalPrinters. [ hr = 0x80070534 "No mapping between account names and security IDs was done." ]
2014-10-03 10:42:19.388 [pid=0x59c,tid=0x1294] Error suppressed. [ hr = 0x80070534 "No mapping between account names and security IDs was done." ]
So it can't map between user ID's. It'd be nice if it told us which mapping failed, but it gives us a pretty good hint. Looking at the XML file the GPP creates (stored here: "C:\ProgramData\Microsoft\Group Policy\History\\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml" )
We saw the following:
Everything validates. Googling for BUILTIN\SYSTEM brought up that several people were getting the same error when using BUILTIN\SYSTEM. Which makes some sense as "BUILTIN\SYSTEM" isn't a real account. We renamed it to NT AUTHORITY\SYSTEM. This time we got a new error message:
The computer 'AHS-Add-GlobalPrinters' preference item in the 'CTX XenApp 65 Prod {CB954F1D-7AE5-4706-9BCC-995A0D83CED5}' Group Policy object did not apply because it failed with error code '0x80041316 The task XML contains an unexpected node.' See trace file for more details.
This doesn't tell us a whole lot of information. What is the unexpected node? Looking again at the XML file it looked like so:
The difference that I can see:
<GroupId>NT AUTHORITY\SYSTEM</GroupId>
The SYSTEM account is NOT a group. We changed how we selected the SYSTEM account by "Browsing" AD, going into the root of the domain, going into the Builtin OU, and selecting SYSTEM. This populated as "NT AUTHORITY\Well-Known-Security-Id-System". This will fail because there is no such user account called "Well-Known-Security-Id-System". At this point we renamed it to "NT AUTHORITY\SYSTEM".
Boom, GPP Scheduled task now worked without issue. Checking the XML the difference by manually selecting the SYSTEM account changed
<GroupId>NT AUTHORITY\SYSTEM</GroupId>
To
<UserId>NT AUTHORITY\SYSTEM</UserId >
SO.
If you are having issues with your GPP Scheduled task item running as the SYSTEM account I would HIGHLY recommend you check your XML file and confirm it is set as "NT AUTHORITY\SYSTEM" and it is surrounded by UserId NOT GroupId.
Thanks. Exact same issue.
ReplyDeleteShouldn't MS call it a bug? Why does GPEDIT fill in a name that's not resolvable?
ReplyDeleteAnyway, thanks!
Thank you for this. Still helpful in 2019.
ReplyDeleteOh, MAN ...
ReplyDeleteBlew ALL DAY chasing this. Thanks a ton for this post!
I can confirm that this was happening to me, too. Thank you!
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteVery helpful thanks for the detail
ReplyDeleteThank you SO much for posting this info!
ReplyDeleteStill works in 2023! thank you!
ReplyDeleteStill doesn't work !
ReplyDeleteI figured out the NT\SYSTEM bit on my own but it still won't create a new scheduled task.
Thanks! This worked for me as well. I think it is worth noting that the task wasn't even created until SYSTEM was added. I though it would create the task but not run.
ReplyDelete