Re: Scheduled Task Won't Run Under Limited User


"K" <nospam@xxxxxxxxxx> wrote in message
news:O%23xcpGE2IHA.528@xxxxxxxxxxxxxxxxxxxxxxx
"Pegasus (MVP)" <I.can@xxxxxxxxxx> wrote in message
news:O7o8kDE2IHA.1772@xxxxxxxxxxxxxxxxxxxxxxx

"K" <nospam@xxxxxxxxxx> wrote in message
news:u%23beS8D2IHA.4004@xxxxxxxxxxxxxxxxxxxxxxx
I have a few workgroup machines which I cannot for various reasons join
to the domain.

I have set up 2 scheduled tasks to perform a number of actions at user
logon. These tasks run as administrator and so can perform the relevant
actions.

They show in Scheduled Tasks and run fine when the administrator logs
in, however when a normal user (limited user) logs in, they can neither
see the tasks exist nor do they run.

What do I need to do to get around this problem?

Thank you

There is a conceptual problem here. If your logon script elevates
the user's privilege to that of an administrator then a computer-savvy
user can tap into this script and do whatever he pleases. You might
as well make him an administrator.

Creating a task under the account of the Administrator won't do
the trick, because this task will only run when the administrator
logs on.

What are the actions that require administrative privileges? Can't
you implement them through Group Policy?

They are workgroup machines so GPO not an option and local policy will be
far too time consuming to implement.

The user logs on as themselves and the scheduled task (which is set to
kick in at user logon) runs using the admin account. The script performs
a number of audit actions and then FTP's the data back to head office.
The actual scripts are secured on the DACL to admin only so the user
cannot tamper with them.

This DOES work on some machines. The scheduled tasks both show up and run
whether user or admin logs in. There are as described though a number of
problematic machines where the scheduled tasks were created under the
admin account and are not visible (therefore do not run) under the user
account.

How can I make all tasks visible to all users?

There are two ways to make a task visible:
- Log on under the same account as the one used for the task.
- Log the output of each command processed by the task. If
it is a batch file then you do it like this:
@echo off
echo %date% %time% >> c:\test.txt
c:\SomeFolder\SomeProgram.exe 1>>c:\test.txt 2>>&1


.

Relevant Pages

  • Re: User Activities
    ... The only logs I mentioned were the event logs (they can be found in the ... When you refer to "the system administrator ID", ... administrator account, or the administrator account local to the machine ... "through their workstation": how did they do that, ...
    (microsoft.public.windows.server.security)
  • Re: Administrator Account Locking Out
    ... the Administrator account, or possibly our RADIUS server might be using it ... 2003 Servers and Windows 2000 servers. ... I have looked in both the event logs, turned on netlogon logging, etc. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Changing the Administrative Password(s)
    ... Adminstrator account. ... something by simply changing the Administrator username and password to ... and thanks for the heads up about the scheduled tasks. ... >> may be dependent upon the administrator account. ...
    (microsoft.public.win2000.security)
  • Re: Win2003 loses AD user account
    ... If a domain administrator logs onto a domain workstation and the ... See if the security logs on the domain controller can pinpoint ... have to correlate logon events in the security log to the account deletion ...
    (microsoft.public.windows.server.security)
  • reboot always does an administrator logon
    ... I just finished a fresh install of XPpro Sp3, added a second administrator ... Even if I log off the administrator account and log back on with my second ... ID with admin priviledges and reboot from there, ... secondary one and it still logs onto that default account. ...
    (microsoft.public.windowsxp.configuration_manage)
Loading