GCRaistlin's questions

I have a domain: DC, Internet gate and a couple of workstations. DC also works as DNS server. All queries to external names are being forwarded by the internal DNS server to the DNS server on Internet gate (actually, Kerio Control's DNS forwarder).

I found out that I can't resolve certain DNS names:

R:\>nslookup ru.secretvpn.net
Server:  dc.mydomain.local
Address:  192.168.0.1

*** dc.mydomain.local can't find ru.secretvpn.net: Server failed

Other names can be resolved just fine (including secretvpn.net itself). If I specify DNS server (the one from the settings of the WAN NIC on Internet gate) resolving also works fine. It also works on Internet gate itself.

So the issue is bound somehow with DNS queries forwarding from the internal DNS server to the DNS forwarder.

In my Active Directory environment (DC runs Windows Server 2003 R2 SP2), there is a Windows Server 2008 R2 SP1 client. On this client, there are scheduled tasks that are running under the local admin account. I want to add a task that will be running under a domain account BackupUser. BackupUser is a member of domain Backup Operators group.

Task Scheduler fails to add the task with the error 2147943785. It's a permission issue and may be fixed by assigning Log on as a batch job right to BackupUser. But doing this via the Group Policy overwrites the default value which is "Backup Operators, Administrators". This causes tasks that are running under the local admin account to stop working. It is unable to assign Log on as a batch job right to these default groups via the Group Policy as they are builtin and simply not available to add.

How to allow (via the Group Policy) a domain user to run a task without breaking the ability to run tasks under the local admin?

The only way I found yet is to add BackupUser to Domain Admins group (even not to Administrators!) and not to touch Log on as a batch job at all. But it is surely a wrong way to do things.