2009/01/12

How to allow non-administrator to run scheduled tasks remotely

CURRENT CONFIGURATION: Windows 2003 server SP2

OBJECTIVE: allow non-administrator to run scheduled tasks remotely.

ISSUE: By default non-administrator, INTERACTIVE and TelnetClients only can run scheduled tasks remotely.

SOLUTION:
- Create scheduled task with system account
schtasks /create /tn TASKNAME /tr "cmd.exe /c echo %%DATE%% %%TIME%% %%COMPUTERNAME%% >> %%TEMP%%\TASKNAME.log" /ru System /sc minute /mo 60 /st 00:03 /et 23:45

- Change account for the scheduled task
schtasks /change /tn TASKNAME /s %COMPUTERNAME% /ru TASKUSER /rp TASKPASS

- Assign permissions to execute scheduled task to non-administrative user or group
cscript.exe XCACLS.vbs %systemroot%\tasks\TASKNAME.job /E /G YUORDOMAIN\TASKUSER:X

- Give permission to execute %SystemRoot%\system32\cmd.exe to the non-administrative user or group
cscript.exe XCACLS.vbs %systemroot%\system32\cmd.exe /E /G YUORDOMAIN\TASKUSER:X

- Assign to the non-administrative user or group "Log on as a batch job" rights.
Open "Local Security Settings" --> "Local Policies" --> "User rights Assignment" --> "Log on as a batch job" and add the non-administrative user or group.

Test result with next command
notepad %TEMP%\TASKNAME.log

--- Star of bat file --

@echo off
:: *************************************************
:: File: task-create_test1.cmd
:: Author: Vadims Zenins (http://vadimszenins.blogspot.com)
:: Version: 1.00
:: Date: 09/01/2009 12:07
:: Task create for non-administrator user or group
:: Usage: task-create_test1.cmd PASSWORD
:: Requirements: XCACLS.vbs
:: ************************************************

:: @IF ERRORLEVEL 1 PAUSE
::echo 1: %1

@SETLOCAL
SET SOURCEPC=%COMPUTERNAME%
SET TASKNAME=task_test1
SET LOGDIR=E:\tools\logs
SET LOGFILE=%LOGDIR%\%TASKNAME%.log
SET TASKUSER=MyDomain\MyTaskUser
SET TASKGROUP=MyDomain\MyTaskGroup
SET TASKPASS=%1
SET TASKCOMMAND="%%systemroot%%\system32\cmd.exe /c echo %%DATE%% %%TIME%% %%COMPUTERNAME%% >> %LOGFILE%"
SET XCACLS=E:\tools\XCACLS.vbs
:: ==============================================================

if not exist %LOGDIR% md %LOGDIR%

echo ====================== >> %LOGFILE%
echo %DATE% %TIME% >> %LOGFILE%
echo SCRIPT is started >> %LOGFILE%

@if "%1"=="" goto usage
@if "%1"=="/?" goto usage
@if "%1"=="-?" goto usage

schtasks /delete /tn %TASKNAME% /f >> %LOGFILE%
schtasks /create /tn %TASKNAME% /tr "cmd.exe /c echo %%DATE%% %%TIME%% %%COMPUTERNAME%% >> %LOGFILE%" /ru System /sc minute /mo 60 /st 00:03 /et 23:45 >> %LOGFILE%
schtasks /change /tn %TASKNAME% /s %COMPUTERNAME% /ru %TASKUSER% /rp %TASKPASS% >> %LOGFILE%
cscript.exe %XCACLS% %systemroot%\system32\cmd.exe /E /G %TASKGROUP%:X /L %LOGFILE%
cscript.exe %XCACLS% %systemroot%\tasks\%TASKNAME%.job /E /G %TASKGROUP%:X /L %LOGFILE%
@goto end

:USAGE
@echo Usage: >> %LOGFILE%
@echo task-create_test1.cmd ^ >> %LOGFILE%
::exit 1

:END
echo %DATE% %TIME% >> %LOGFILE%
echo SCRIPT is finished >> %LOGFILE%
echo. >> %LOGFILE%

--- End of bat file --


Links
Extended Change Access Control List Tool (Xcacls). Xcacls.vbs is an unsupported tool that provides additional capabilities not provided with the supported utility, Xcacls.exe.
Schtasks

3 комментария:

BeaconMRat комментирует...

Do you know how to make this work for 2008 and 2008 R2?

BeaconMRat комментирует...
Этот комментарий был удален администратором блога.
Vadim Zenin комментирует...

Hi,

I haven't chance to use it on Windows 2008