Re: Remote Task Scheduler access problem

The server OS is Windows Server 2003 Standard Edition SP1, and the clients
are Windows XP Professional SP2.

I guess this is going to turn into a request for the Windows development
team to correct the help file then - because it is certainly misleading the
way it's put. The excerpt I provided in my original post is from the actual
Windows help topics for Task Scheduler (in the help index it's listed under
"security methods and issues", then "Task Scheduler"). The line "However, a
member of the Administrators group can enable a member of any group to
create or modify scheduled tasks, by using the cacls command to modify the
discretionary access control list (DACL) of the Tasks folder." seems to
indicate that there's a way around the Administrator-only restriction.

Of course there's a disclaimer at the top of the topic that "This content
might have been updated. For the most recent version, see the TechCenter Web
site." But clicking that link is not context sensitive, and trying to find
the exact information can be frustrating. I managed to get as far as the
topic "Schedule a task on a remote computer" on the page
http://technet2.microsoft.com/WindowsServer/f/?en/Library/6707dcc5-526b-4ee0-bc8b-d8cde1fb71711033.mspx,
which told me that:

To perform this procedure, you must be a member of the Administrators
group, or have been delegated the appropriate authority, on the remote
computer. As a security best practice, consider using Run as to perform this
procedure. For more information, see Default local groups , Default groups ,
and Using Run as .
So I thought maybe I could be "delegated the appropriate authority". Is this
an option? Unfortunately, it too was followed by another disclaimer:

Your server might function differently based on the version and edition of
the operating system that is installed, your account permissions, and your
menu settings. For more information, see Viewing Help on the Web .

So I guess no matter where I look, I get mixed answers. If you're telling me
that without a doubt, there's no way around the requirement to put users in
the Administrators group to access scheduled tasks, then it saves me a lot
of trouble following link after link to dig up the answer.

Thanks for your time!

"Vincent Xu [MSFT]" <v-xuwen@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:WA0J3ighGHA.464@xxxxxxxxxxxxxxxxxxxxxxxx
Hi,

What is the exact OS version?

This post is in microsoft.public.windows.server.general queue, so I
suspect
the OS is Windows server 2003. This is by design in Windows 2003,they have
tightened the security in 2003. The OS won't let you schedule a job with
a
standard user account.

Sorry for any inconvenience.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------
From: "Brian L." <699df88b-2059788708@xxxxxxxxxxxxxx>
Subject: Remote Task Scheduler access problem
Date: Thu, 1 Jun 2006 14:48:20 -0400
Lines: 43
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
X-RFC2646: Format=Flowed; Original
Message-ID: <OIZCNLbhGHA.4252@xxxxxxxxxxxxxxxxxxxx>
Newsgroups: microsoft.public.windows.server.general
NNTP-Posting-Host: 204-60-67-237.connecticare.com 204.60.67.237
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.general:97324
X-Tomcat-NG: microsoft.public.windows.server.general

Hello all,

I am trying to grant a few users access to see (as well as run and stop)
scheduled tasks on one of our servers. I have been looking at the help
pages
for Task Scheduler, and I'm not having any luck. They are able to see the
Scheduled Tasks folder, listed with the other shares on the system, if
they
navigate to it in the network (or start -> run -> \\server). However, if
they double-click on the Scheduled Tasks folder it doesn't open. The only
way around this has been to put the users into the local Administrators
group of the server. I'd like to avoid this if possible.

The answer seems to be in one section of the help page, but I haven't
been
able to get this to work:

By default, to schedule a task, you must be a member of the
Administrators,
Backup Operators, or Server Operators group on the local computer. By
default, when creating a scheduled task, you cannot enter a user who
belongs
to a group that has more rights than the group you belong to. For
example,
if you are a member of the Backup Operators group on the local computer,
you
cannot specify a member of the Administrators group when creating a
scheduled task. However, a member of the Administrators group can enable
a
member of any group to create or modify scheduled tasks, by using the
cacls
command to modify the discretionary access control list (DACL) of the
Tasks
folder. By default, the Tasks folder is located in the \Windows folder on
the hard drive of the local computer, for example C:\Windows\Tasks. For
more
information about using cacls, see Cacls.


Now the above excerpt says that I can grant someone access, using cacls,
to
the C:\Windows\Tasks folder on the server. So I created a group on the
domain, put one of the users into the group, used cacls to grant access
to
the C:\Windows\Tasks folder (at first Change, then I tried Full Control),
then logged out and back in to make sure group membership took effect.
The
folder still behaved the same way - visible but I can't open it.

Does anyone know what I'm doing wrong? Or is the help file incorrect, and
that method won't work? Any help is appreciated! Thanks.

-Brian








.

Relevant Pages

  • Re: MAPI wouldnt run while Windows 2003 Server is on the log off mode. How to
    ... My task is to create an apps on a factory that read daily ... Windows' Scheduled Tasks help. ... The applicaton runs on the server. ... The Windows Scheduled Tasks indicate that the apps runs fine ...
    (microsoft.public.fox.programmer.exchange)
  • Windows 2003 Server Scheduled Tasks
    ... Everything was working fine until I installed windows 2003 SP1 on a windows ... 2003 server which is also a domain controller. ... backup but i cannot start the scheduled tasks. ... Before the installation of Windows 2003 SP1, ...
    (microsoft.public.windows.server.general)
  • Re: Re: Assiging Group Policy to 1 GROPUP
    ... excude the Administrators group from inheriting the policy. ... > You are running NT 4 and the server you refer to is just a Windows ...
    (microsoft.public.win2000.group_policy)
  • Re: MAPI wouldnt run while Windows 2003 Server is on the log off mode. How to make it run?
    ... My task is to create an apps on a factory that read daily ... Windows' Scheduled Tasks help. ... The applicaton runs on the server. ... The Windows Scheduled Tasks indicate that the apps runs fine ...
    (microsoft.public.fox.programmer.exchange)
  • Re: Administrator account
    ... I am going to assume that the Windows 2000 SBS server is your Primary ... Let us also call the account with which you aren't able to ... Hope that the Administrators group has not been added to the ...
    (microsoft.public.security)