Importance of the "Log on as a Batch Job" Policy for UiPath Orchestrator: Avoiding Critical Failures

News Knowledge Base
,
1

How does misconfiguring the "Log on as a Batch Job" policy affect the functionality of UiPath Orchestrator, and what steps should be taken to resolve or prevent these issues?

Issue Description:

The "Log on as a Batch Job" policy is critical for the proper functioning of UiPath Orchestrator, as it allows certain service accounts and applications, including IIS App Pool identities and Orchestrator-related services, to run background tasks without user interaction. Misconfiguring this policy can lead to severe operational failures.

Specific Scenarios:

  1. No User Added to "Log on as a Batch Job" During Installation:
  • Impact: Critical services like IIS Application Pools, which manage Orchestrator web applications, might fail to start or function correctly. This could result in the Orchestrator website being inaccessible, APIs malfunctioning, and scheduled tasks or process executions failing.
  • Symptoms: Errors related to service startup failures, authentication problems, or an inaccessible Orchestrator interface.
  1. Removing Users from "Log on as a Batch Job" After Installation:
  • Impact: If necessary users (e.g., IIS_IUSRS, application pool users) are removed from the policy post-installation, Orchestrator components may fail during runtime. This could cause service disruptions, inability to schedule or execute jobs, and access issues with the Orchestrator interface.
  • Returning to a Locked Policy: Reverting the policy to its original (locked) state may restrict required users, leading to potential downtime or reduced functionality of Orchestrator.

Resolution:

To resolve and prevent these issues, follow these steps:

  1. During Installation:
  • Ensure that the necessary users, such as IIS_IUSRS and application pool users (e.g., Identity, Orchestrator service accounts), are added to the "Log on as a Batch Job" policy.
  1. Post-Installation:
  • Avoid removing these users from the policy. If organizational security policies require policy changes, consult with the security team to understand the implications and explore alternatives that allow Orchestrator to operate correctly.
  1. Testing:
  • Before enforcing any restrictive policies, thoroughly test Orchestrator's functionality in a staging environment that mirrors the production setup. Ensure all components work as expected with the configured policies.

By maintaining the necessary users in the "Log on as a Batch Job" policy, you can ensure the seamless operation of UiPath Orchestrator, preventing service disruptions and maintaining system availability