What does Internet Explorer have to do with the “Logon as a Batch Job” Local Policy?

  • Article

Hello everyone!

This blog outlines and interesting issue that just came through the IE Support Team.  A customer contacted Microsoft recently when he noticed that user accounts were being added to the “Logon as a Batch Job” local policy.  This only started happening after their roll-out of Internet Explorer 7.  Confirming the behavior, the engineer then researched the new additions to Internet Explorer 7 from earlier revisions of IE.  After narrowing the scope, a code review was done which confirmed that it was actually the new RSS Feed functionality that was causing the behavior.  Let’s break it down…

When IE7 is installed, the ability to for RSS Feed support is automatically there.  Once a user logs onto the machine, they are able to add a feed via the IE7 user interface here

image

once the web site is loaded which has RSS Feed capability.  Once the RSS Feed has been added using the RSS Feed button, the properties of that RSS Feed can be reviewed.  We can then see the cause behind the user account being added to the local policy:

image

Notice that the Automically check feeds for updates option is enabled under the Feed Settings dialog.  The option is always enabled for every RSS Feed added, unless specifically disabled through the IEAK or Group Policy.  This option tells the RSS Feed engine to create a hidden task with Task Scheduler:

image

(The syntax is as follows:  User_Feed_Synchronization-GUID)

This hidden task will perform a periodic background sync of RSS Feed data using Task Scheduler.  For the scheduled task to be added the user must be part of the local policy, “Logon as a Batch Job”, as seen below with the group policy settings:

image

Therefore, the behavior is “by design” for Internet Explorer 7.

To keep user accounts from being added to the “Logon as a Batch Job” local policy, simply turn off the option that allows background synchronization of RSS Feeds.  This can be done via the IEAK (although a user could simply re-enable option if they so choose), or Group Policy.  Group Policy is the best approach, as it allows administrative management of this option keeping users from re-enabling background synchronization within the Internet Explorer 7 user interface:

image

This can be verified within the registry once the Turn off background sync for feeds policy has been enabled:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds]

“BackgroundSyncStatus”=dword:00000000

 

Well, that’s about it.  We hope that this information was informative and useful.

Regards,

The IE Support team