Announcement

Collapse
No announcement yet.

Schedule tasks permissions

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Schedule tasks permissions

    Hi :

    What permissions does a user need to run a scheduled task?
    e.g. :
    I want to run a scheduled task with a domain account, but I don't want neither can't put that account under the local administrators local group.

    I tried adding the account special permissions (act as operating system, log on as a batch user, log on as service, create a token level process, etc, nothing did help.

    Is any solution or should I add the account on the local administrators group?

    That account has permissions (ntfs) on the files, and folders where the script to run is on.
    The user has full controll on the schedule task itself.

  • #2
    Re: Schedule tasks permissions

    Giving someone permissions to schedule tasks is equivalent to giving him administrator privileges on the computer as it lets the user to submit a task that will execute under SYSTEM account (i.e.: schtasks.exe /create with /U "NT AUTHORITY\SYSTEM" switch)

    I am 99% sure that this user right is hard coded (and there is a good reason for that as you have just seen)
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"

    Comment


    • #3
      Re: Schedule tasks permissions

      I'm pretty darn sure you don't need to be a local admin to run a scheduled task, at least not on XP.

      For AT, you need to be an admin as it runs as SYSTEM.

      I recall a work laptop (where the user was locked down as a User) that I was able to run a scheduled task authenticating as that domain account and it ran under those credentials.

      Schedule CMD.EXE (Command Prompt) to run once 2 minutes into the future while logged on interactively as the target account. CMD.EXE should pop up as it will interact w/ the desktop and you can type SET and/or WHOAMI (W2K Resource Kit) to see what you have.

      The task only has the power of that user so no big back door here.

      Is it possible the target account can't logon the box? That might be the key.

      I'm not able to verify this for a week plus but experiment a little and report back.
      Cheers,

      Rick

      ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

      2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

      Comment


      • #4
        Re: Schedule tasks permissions

        You are right. You can schedule tsk without being member of Administrators, but you can't configure it to run under SYSTEM account.

        On XP it's enough to be member of Users group (means that any domain account can schedule a task).

        Give the following command a test:
        Code:
        schtasks /create /SC daily /TN "Test scheduled task" /TR "c:\windows\system32\calc.exe" /ST 17:27:00
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment


        • #5
          Re: Schedule tasks permissions

          Sorry for the long time to reply.
          The solution was to give permissions to that user to the cmd.exe
          So it can execute a script ( a .cmd script)

          Comment


          • #6
            Re: Schedule tasks permissions

            I knew it had to be something simple. Thanks for sharing the conclusion to your endeavor. Closure is a good thing we don't always receive here.
            Cheers,

            Rick

            ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

            2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

            Comment


            • #7
              Re: Thanks for sharing

              Originally posted by Eduardite View Post
              Sorry for the long time to reply.
              The solution was to give permissions to that user to the cmd.exe
              So it can execute a script ( a .cmd script)


              Thanks for sharing your answer with us! I'm sure others will also benefit from knowing what was wrong and how you fixed it.



              However, we'de appreciate it if you could grant some reputation points to the user that helped you. Just click on the little Yin-Yang icon on the right of the user's answer and follow the prompt.
              Cheers,

              Daniel Petri
              Microsoft Most Valuable Professional - Active Directory Directory Services
              MCSA/E, MCTS, MCITP, MCT

              Comment

              Working...
              X