The Task Scheduler(TS) isn't saving domain information for run task as user.
Steps to replicate:
In General->Security Options it shows which user the task will run as with the button "Change User or Group" beside it.
The TS lets me change the user to a domain user and shows "DOMAIN\USER" in the field.
Pressing OK prompts me to enter the password for "DOMAIN\USER" which I do.
Opening up the TS task again shows that the domain part of the "DOMAIN\USER" has been stripped out of the Run As field.
When that task is run it Does not run as the "DOMAIN\USER".
Expected Behavior
TS should run task as run as user like it does on Server 2012r2.
OS Details
OS is windows server 2016 standard build | Version 10.0.14393 Build 14393 and server is part of a domain.
EDIT: In windows 10 it looks like it does the same thing but the user does end up being run as correctly. In the exported task XML used to look like this: <UserId>DOMAIN\USER</UserId> but now it looks like this:[numbers-with-a-lot-of-hypens-that-starts-with-a-letter]</UserId>
EDIT-2: It looks like what's being stored in the XML settings is a Windows SID (security identifier).
Best Answer
Turns out it was an extra privilege that was on the new box that needed to be disabled and then Task Scheduler runs fine. "SeDelegateSessionUserImpersonatePrivilege" was the culprit.
What caused me to believe it was the task scheduler is that the task scheduler has changed how it saves the user in the Xml and it used to save it as “DOMAIN\USER” but now it saves it as a SID (security id) and doesn’t display the domain portion in the ‘RUN AS’ section of the task scheduler.
When I ran
whoami /allI saw that one privilege was on the new box but not the old box.That privilege was: SeDelegateSessionUserImpersonatePrivilege = disabled
Removing this privilege fixes the issue.
So on Windows Server 2016 std build 14393 enabling or removing the privilege SeDelegateSessionUserImpersonatePrivilege fixes this issue of Tasks not running as the stored user in Task Scheduler.
EDIT: Windows Server 2016 Task Scheduler runs correctly tasks that were set up right the first time with no edits and that had the checkbox ‘Run with highest privileges’ unchecked and starting in the future. So if you need to modify a scheduled tasks you should probably create a brand new task then delete the old one rather than edit an existing task.