• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Re: How to permit access to create Scheduled Tasks for non-Admin user

R

Ralph Avery

#1
Create a group (either server local, or domain global) Example : "RunTasks"
Add any members you want to have the ability to run the task to the group.
Note, creating a domain global group is easier to manage in the long run.
If the non-administrator account is currently logged on, log off and back on
to get the new security descriptor.

Create a temporary folder at c:\ for example: "C:\TempTask"
Run "Xcopy c:\windows\tasks c:\TempTask"
Run "Cacls c:\Windows\Tasks > c:\TaskPerms.txt"
Run "Cacls c:\TempTask /s > c:\Temp\OriginalPermString.Txt (Save this file,
this has the original permissions in it in case you need to return)
Default Perm string for c:\Windows\Tasks =
"D:PAI(A;OICI;FA;;;BA)(A;;0x1200ab;;;BO)(A;OICIIO;FA;;;CO)(A;;0x1200ab;;;SO)(A;OICI;FA;;;SY)"
Edit the permissions on folder c:\TempTask (Add the new group with "Change"
permissions on the folder, subfolder, and files.
Run "Cacls C:\TempTask /s > c:\Temp\NewPerms.txt" (The NewPerms.txt file
will have your new permissions for the Tasks Folder)
Copy the SDDL string from NewPerms.txt (This is everything in the Quotes ""
section)
Command as "cacls c:\windows\tasks /s:"the String from the NewPerms.txt
file" (It may be easier to enter it in Notepad and then copy it as a whole
string)
Run that command to set the permissions on the c:\windows\tasks folder.

Set the permissions on the "Task Scheduler" service


Download Subinacl.exe from Microsoft
(http://www.microsoft.com/downloads/...56-d8fe-4a91-93cf-ed6985e3927b&DisplayLang=en)
Create a command...
SubInAcl /Service Schedule /Grant=RunTasks=F (Replace RunTasks with
domain\username or Domain\Groupname or simply the group name if it's a server
local group)


Test the schtasks /Run /TN TaskName command
 

My Computer

S

Simone

#2
Re: How to permit access to create Scheduled Tasks for non-Admin u

If you add the user to the backup operators group you will give them pretty
high level access to all the data on the server..
 

My Computer

S

Simone

#3
Re: How to permit access to create Scheduled Tasks for non-Admin u

Hi Ralph,

I tried this on a 2003 R2 Sp2 Server and it granted full access to all
users. Could I have missed a step? I tried it a few times to make sure, but
it's possible I was missing something..

I have users that are local power users, and want them to be able to modify,
view, execute scheduled tasks - without giving them admin access.

Any suggestions?
 

My Computer

S

Simone

#4
Re: How to permit access to create Scheduled Tasks for non-Admin u

Hi Ralph,

I tried this on a Windows 2003 R2 Sp2 server and it granted full access to
all users. Even when I remove users from the newly created group, they can
still open scheduled tasks and modify them (where they used to get access is
denied).

I tried it a few time to make sure I didn't miss any steps. Do you have any
other suggestions?

Thanks
Simone
 

My Computer

Users Who Are Viewing This Thread (Users: 1, Guests: 0)