How to permit access to create Scheduled Tasks for non-Admin users

Sponsored Links

Hey all,

We have a few application experts to which we've given user-level RDP access
to some W2K3 servers. They want to be able to create scheduled tasks that
will run under their account. By default, non-Admins can't see the Scheduled
Tasks applet. "Access Denied" is what they see.

I've seen some GPO config options regarding the Task Scheduler but I can't
seem to find one that will allow regular system users to create/modify
scheduled tasks. Can you guys help me out?

Thanks in advance,
B

The simple solution is assigning the user to Backup Operators group of the local computer. Another option is use cacls command to modify tasks folder, which is located in c:\windows\tasks in most cases.

So far this happen to the W2K3 server version. Hopefully microsoft got
patches on it.

Create a group (either server local, or domain global) Example : "RunTasks"
Add any members you want to have the ability to run the task to the group.
Note, creating a domain global group is easier to manage in the long run.
If the non-administrator account is currently logged on, log off and back on
to get the new security descriptor.

Create a temporary folder at c:\ for example: "C:\TempTask"
Run "Xcopy c:\windows\tasks c:\TempTask"
Run "Cacls c:\Windows\Tasks > c:\TaskPerms.txt"
Run "Cacls c:\TempTask /s > c:\Temp\OriginalPermString.Txt (Save this file,
this has the original permissions in it in case you need to return)
Default Perm string for c:\Windows\Tasks =
"D:PAI(A;OICI;FA;;;BA)(A;;0x1200ab;;;BO)(A;OICIIO;FA;;;CO)(A;;0x1200ab;;;SO)(A;OICI;FA;;;SY)"
Edit the permissions on folder c:\TempTask (Add the new group with "Change"
permissions on the folder, subfolder, and files.
Run "Cacls C:\TempTask /s > c:\Temp\NewPerms.txt" (The NewPerms.txt file
will have your new permissions for the Tasks Folder)
Copy the SDDL string from NewPerms.txt (This is everything in the Quotes ""
section)
Command as "cacls c:\windows\tasks /s:"the String from the NewPerms.txt
file" (It may be easier to enter it in Notepad and then copy it as a whole
string)
Run that command to set the permissions on the c:\windows\tasks folder.

Set the permissions on the "Task Scheduler" service


Download Subinacl.exe from Microsoft
(http://www.microsoft.com/downloads/d...DisplayLang=en)
Create a command...
SubInAcl /Service Schedule /Grant=RunTasks=F (Replace RunTasks with
domain\username or Domain\Groupname or simply the group name if it's a server
local group)


Test the schtasks /Run /TN TaskName command

If you add the user to the backup operators group you will give them pretty
high level access to all the data on the server..

Hi Ralph,

I tried this on a 2003 R2 Sp2 Server and it granted full access to all
users. Could I have missed a step? I tried it a few times to make sure, but
it's possible I was missing something..

I have users that are local power users, and want them to be able to modify,
view, execute scheduled tasks - without giving them admin access.

Any suggestions?

Hi Ralph,

I tried this on a Windows 2003 R2 Sp2 server and it granted full access to
all users. Even when I remove users from the newly created group, they can
still open scheduled tasks and modify them (where they used to get access is
denied).

I tried it a few time to make sure I didn't miss any steps. Do you have any
other suggestions?

Thanks
Simone