Why user accounts do "not have permission to run this task"?

I am creating a Scheduled task configured via PowerShell using the XML:

$LogonTask_xml = @"<?xml version="1.0" encoding="UTF-16"?><Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"><RegistrationInfo><Date>$(get-date -Format yyyy-MM-ddTHH:mm:ss.00000)</Date><Author>Interactive</Author><Description>$LogonDescription</Description></RegistrationInfo><Triggers><LogonTrigger><Enabled>true</Enabled><Delay>PT1H</Delay><ExecutionTimeLimit>PT4H</ExecutionTimeLimit></LogonTrigger></Triggers><Principals><Principal id="Author"><GroupId>S-1-5-32-545</GroupId><RunLevel>LeastPrivilege</RunLevel></Principal></Principals><Settings><MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy><DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries><StopIfGoingOnBatteries>true</StopIfGoingOnBatteries><AllowHardTerminate>true</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><IdleSettings><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession><UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine><WakeToRun>false</WakeToRun><ExecutionTimeLimit>PT4H</ExecutionTimeLimit><Priority>7</Priority></Settings><Actions Context="Author"><Exec><Command>$VBScriptPath</Command></Exec></Actions></Task>"@

I want all users to run within their own context -- but not modify -- and when they test it, they keep encountering "The user account does not have permission to run this task."

As you can see, the task runs as the Users group, and is allowed to start on demand. The task works fine if I run it as an administrator. The "users" group can see this particular task and has read & execute rights to the task file (in c:\Windows\System32\Tasks), and users can create other tasks and run them. I would swear that this used to work.

When I created another task and manipulated the ACL to exactly match the "troublesome" task, the second task still runs at a user's request without a problem.

There must be something else about some tasks that can prevent unprivileged users from running them, but I cannot figure out what it might be. Help!