OBJECTIVE: allow non-administrator to run scheduled tasks remotely.
ISSUE: By default non-administrator, INTERACTIVE and TelnetClients only can run scheduled tasks remotely.
SOLUTION:
- Create scheduled task with system account
schtasks /create /tn TASKNAME /tr "cmd.exe /c echo %%DATE%% %%TIME%% %%COMPUTERNAME%% >> %%TEMP%%\TASKNAME.log" /ru System /sc minute /mo 60 /st 00:03 /et 23:45
- Change account for the scheduled task
schtasks /change /tn TASKNAME /s %COMPUTERNAME% /ru TASKUSER /rp TASKPASS
- Assign permissions to execute scheduled task to non-administrative user or group
cscript.exe XCACLS.vbs %systemroot%\tasks\TASKNAME.job /E /G YUORDOMAIN\TASKUSER:X
- Give permission to execute %SystemRoot%\system32\cmd.exe to the non-administrative user or group
cscript.exe XCACLS.vbs %systemroot%\system32\cmd.exe /E /G YUORDOMAIN\TASKUSER:X
- Assign to the non-administrative user or group "Log on as a batch job" rights.
Open "Local Security Settings" --> "Local Policies" --> "User rights Assignment" --> "Log on as a batch job" and add the non-administrative user or group.
Test result with next command
notepad %TEMP%\TASKNAME.log
--- Star of bat file --
@echo off
:: *************************************************
:: File: task-create_test1.cmd
:: Author: Vadims Zenins (http://vadimszenins.blogspot.com)
:: Version: 1.00
:: Date: 09/01/2009 12:07
:: Task create for non-administrator user or group
:: Usage: task-create_test1.cmd PASSWORD
:: Requirements: XCACLS.vbs
:: ************************************************
:: @IF ERRORLEVEL 1 PAUSE
::echo 1: %1
@SETLOCAL
SET SOURCEPC=%COMPUTERNAME%
SET TASKNAME=task_test1
SET LOGDIR=E:\tools\logs
SET LOGFILE=%LOGDIR%\%TASKNAME%.log
SET TASKUSER=MyDomain\MyTaskUser
SET TASKGROUP=MyDomain\MyTaskGroup
SET TASKPASS=%1
SET TASKCOMMAND="%%systemroot%%\system32\cmd.exe /c echo %%DATE%% %%TIME%% %%COMPUTERNAME%% >> %LOGFILE%"
SET XCACLS=E:\tools\XCACLS.vbs
:: ==============================================================
if not exist %LOGDIR% md %LOGDIR%
echo ====================== >> %LOGFILE%
echo %DATE% %TIME% >> %LOGFILE%
echo SCRIPT is started >> %LOGFILE%
@if "%1"=="" goto usage
@if "%1"=="/?" goto usage
@if "%1"=="-?" goto usage
schtasks /delete /tn %TASKNAME% /f >> %LOGFILE%
schtasks /create /tn %TASKNAME% /tr "cmd.exe /c echo %%DATE%% %%TIME%% %%COMPUTERNAME%% >> %LOGFILE%" /ru System /sc minute /mo 60 /st 00:03 /et 23:45 >> %LOGFILE%
schtasks /change /tn %TASKNAME% /s %COMPUTERNAME% /ru %TASKUSER% /rp %TASKPASS% >> %LOGFILE%
cscript.exe %XCACLS% %systemroot%\system32\cmd.exe /E /G %TASKGROUP%:X /L %LOGFILE%
cscript.exe %XCACLS% %systemroot%\tasks\%TASKNAME%.job /E /G %TASKGROUP%:X /L %LOGFILE%
@goto end
:USAGE
@echo Usage: >> %LOGFILE%
@echo task-create_test1.cmd ^
::exit 1
:END
echo %DATE% %TIME% >> %LOGFILE%
echo SCRIPT is finished >> %LOGFILE%
echo. >> %LOGFILE%
--- End of bat file --
Links
Extended Change Access Control List Tool (Xcacls). Xcacls.vbs is an unsupported tool that provides additional capabilities not provided with the supported utility, Xcacls.exe.
Schtasks
Сообщения
3 комментария:
Do you know how to make this work for 2008 and 2008 R2?
Hi,
I haven't chance to use it on Windows 2008
Отправить комментарий