Administrator doesn't have permission/rights to run tasks !?

Discussion in 'Windows Vista Administration' started by Paul, Jun 19, 2007.

  1. Paul

    Paul Guest

    Hello everyone,

    I'm trying to run a simple task. I'd like Vista's "task scheduler" to
    periodically run a .bat file that I made which goes to the following two
    directories and deletes the IE7 cookies that are stored there.

    C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low
    C:\Users\<usersname>\AppData\Roaming\Microsoft\Windows\Cookies

    However, I am told that I do not have permission to access these
    directories. How can that be, since administrators should have access to all
    files and directories on the computer. The other error that I get is that
    "task scheduler" tells me that I do not have the "batch rights" to save this
    task.

    Any insight into this would be a big help.

    Paul
     
    Paul, Jun 19, 2007
    #1
    1. Advertisements

  2. Because even thought you may have created an account that is a member of the
    administrators group even you installed Windows Vista that account is
    subject to UAC (User Account Control) and thus protected from doing certain
    tasks without reconfirming etc.
    This includes the ability to access al files and folders on the system by
    default. If you need access to certain files and folders then you may need
    to grant that account access and the appropriate permissions to them.
    The same is true of certain privileges (rights) within the system.

    As a member of the administrators group you can use the appropriate tools to
    grant these rights and permissions to yourself.
    Windows Vista is just a little more secure by default to prevent people who
    think they are admins from making mistake.
    If you are an experienced and competent administrator then just use the
    tools to grant yourself what you need.
     
    Mike Brannigan, Jun 19, 2007
    #2
    1. Advertisements

  3. Paul

    Julian Guest

    But...

    I was trying to share a mounted drive (Z:) so that the UNC path indexer
    works and created a batch file to do it for me.

    However, even though I am a member of the admin group AND have set my
    individual perms to FULL control on Z I get "access denied err 5" - I do not
    get a UAC or other prompt for a confirmation password.

    If however I "run as admiistrator" "CMD" - say OK to UAC and then run the
    batch file it is fine.

    This seems inconsistent to me (and if there's one inconsistency it would not
    be inconsistent with Murphy's laws for there to be more...)

    Thoughts?
     
    Julian, Jun 19, 2007
    #3
  4. Paul

    mikeyhsd Guest

    there is a way to run COMMAND with elevated prompt and then allow you to include the batch file name.
    do not know what the switch is for the elevated prompt.
    maybe someone can pitch in.







    Hello everyone,

    I'm trying to run a simple task. I'd like Vista's "task scheduler" to
    periodically run a .bat file that I made which goes to the following two
    directories and deletes the IE7 cookies that are stored there.

    C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low
    C:\Users\<usersname>\AppData\Roaming\Microsoft\Windows\Cookies

    However, I am told that I do not have permission to access these
    directories. How can that be, since administrators should have access to all
    files and directories on the computer. The other error that I get is that
    "task scheduler" tells me that I do not have the "batch rights" to save this
    task.

    Any insight into this would be a big help.

    Paul
     
    mikeyhsd, Jun 19, 2007
    #4
  5. Paul

    Jimmy Brush Guest

    Hello,

    In Windows Vista, even though you are an administrator, only programs
    that ask for your permission ("Windows needs your permission to
    continue") are allowed to use your admin rights.

    This isn't meant to protect you from yourself; rather, this prevents
    programs that you do not start from using your admin power.

    If you need a program you are starting from task scheduler to run with
    admin rights, you will need to run the task with 'highest privilege' by
    checking the appropriate box, or running it in the context of a system
    account.

    At what time do you receive the batch rights / access denied errors?
     
    Jimmy Brush, Jun 19, 2007
    #5
  6. Paul

    Julian Guest

    Hi Jimmy,

    In my case the access denied occurs on the Net Share command.

    I appreciate the protection from things running things without my permission
    but

    1. I have runas in the batchfile and I must give it my password - that
    should be enough
    2. Even though it clearly isn't enough, when it gets to the Net Share, why
    don't I get a UAC prompt? why does it just go ahead - and fail?

    [I run with Admin rights all the time now as it makes no difference to UAC
    for the reasons you outline but at least I can click to continue rather than
    having to enter a password each time]

    [Incidentally, when I accidentally "ranas" with the wrong user account
    ("Admin" instead of my username, but obviously an account with Admin rights)
    I also got an access denied on running SyncToy (the next line in the batch
    file) because it was Julian's app - I think - it doesn't make any sense to me
    to block things like this]

    I hope someone can answer mikeyhsd's Q about an appropriate switch for COMMAND

    Thanks
     
    Julian, Jun 19, 2007
    #6
  7. Paul

    Jimmy Brush Guest

    I am confused - are you or are you not starting the batch file from task
    scheduler?

    There's no need to use runas when you're using task scheduler - you can
    specify using task scheduler what user to run the batch file under - and
    by checking the highest privilege box, it will allow the file to use the
    admin power.

    The reason entering a password into runas isn't good enough for
    elevation is because other programs can run this command on your behalf
    without your knowledge. The UAC prompt ensures that you are actually the
    one performing the action, in such a way that programs can't fake.

    The reason task scheduler can do this but runas cant is because task
    scheduler is only accessible to administrator programs that have already
    prompted, while runas can be used by any program.

    Unfortunately, command-line programs don't prompt for admin power
    on-demand when they are run (which would make this scenario possible).
    They must be ran from a command prompt that you have started with admin
    power by right-clicking it and clicking run as administrator. But even
    in that case, runas wont work like you want it to (and I don't have a
    good reason why this happens, either; one would think it would).

    I'm not exactly sure why it was designed that way.

    Using runas to run a program under a different account does not elevate
    the program to administrator status, even if the user is an
    administrator, nor is there any way to cause it to prompt for elevation
    that I am aware of.

    I highly recommend not using runas for this purpose and instead use the
    task scheduler to run the batch file in the context of the account you want.

    However, if you must have runas work as you expect it to, you can enable
    the built-in administrator account from an elevated command prompt (net
    user administrator /active:yes) and then set its password to something.

    If you use the runas command to run something in the context of the
    built-in administrator account, that program *will* have admin power and
    it *will not prompt for permission*.

    While this makes things easier, it is less secure than using the task
    scheduler, because 1) the admin password is stored in plaintext and 2)
    the access permissions on your batch files are less strict than the ones
    on the task scheduler, unless you manually modify them.
     
    Jimmy Brush, Jun 19, 2007
    #7
  8. Paul

    Jimmy Brush Guest

    Actually, after thinking about it some more, it is probably more to keep
    your password secure from other programs that to keep other programs
    from using your password.

    It would be different if runas was hooked into UAC to allow it to
    securely ask for the info, but then it would have a dependency on UAC,
    which wouldnt work for the people who turn it off.
     
    Jimmy Brush, Jun 19, 2007
    #8
  9. Paul

    Julian Guest

    Sorry for any confusion - my issue is related to but different from the
    original post - I wasn't claear enough about that: this has nothing to do
    with the task scheduler.

    Must confess I didn't understand the point that
    because I hadn't found a way to pass a password into runas - I don't find a
    parameter for that so I can't see how another program could run something on
    my behalf (and where would it get the password from??)

    I am very tempted to join the "UAC OFF Club" - after three months now I am
    heartily sick of jumping through hoops. I read the technique (was it yours?)
    for using scheduler to get UAC-causing tasks to run without UAC prompts at
    startup but it seems that to make a Microsoft omelette breaking the eggs is
    just not good enough - they have to be painstakingly disassembled according
    to some obscure specification.

    Thanks for the feedback though - it was illuminating...

    Julian

     
    Julian, Jun 19, 2007
    #9
  10. Paul

    Jimmy Brush Guest

    Windows Vista is a big change from XP, which will inevitably require
    learning new ways of doing the same thing.

    We can only hope that there will be some benefit as a result of changing
    over. I am convinced there is. :)
     
    Jimmy Brush, Jun 19, 2007
    #10
  11. Paul

    Paul Guest

    Thanks for your reply, Jim.

    I get the "batch rights" message when I try to make changes to the task.
    It says you need these rights in order to save those changes.

    I actually did try checking the "run with highest priveleges" box. Nothing
    changed.

    Paul
    ___________________________________
     
    Paul, Jun 20, 2007
    #11
  12. Paul

    Paul Guest

    'Competent and experienced administrator' ? Not really. I am setting up a
    new computer for my parents to use. I am trying to set up this automated
    task so that my parents don't have to bother with this. I have never used
    Vista before and I have never been an administrator before. Up until now I
    have been using Win98.
    _________________________________
     
    Paul, Jun 20, 2007
    #12
  13. Paul

    Jimmy Brush Guest

    Hmm...

    So, you get the error from the task scheduler interface itself when
    trying to change the properties of the task?

    Do you get the error after entering your username and password after
    clicking OK?

    If yes to both, try telling the program to run in the context of a
    system account -> Click change user or group, type system, press enter.

    Can you change any of the attributes of the task, or do you only get the
    message when changing certain properties?

    Are you an administrator?

    If you are an administrator, could you do this:

    - Click start
    - Type: command prompt
    - Right-click command prompt when it appears
    - Click Run As Administrator
    - Type: whoami /all
    - Paste the results of this command into a reply
     
    Jimmy Brush, Jun 20, 2007
    #13
  14. Paul

    Jimmy Brush Guest

    I am only interested in the "privileges information" section
     
    Jimmy Brush, Jun 20, 2007
    #14
  15. Paul

    Paul Guest

    Hello Jimmy,

    Sorry for the late reply; I was out of town for a few days.

    To answer your question. I do get the error after typing the admin password
    and clicking "OK". It looks like it doesn't like one of the settings.

    I tried your other suggestion and changed the user to "SYSTEM" in the task
    properties. According to the event viewer, the tasks ran successfully.
    However, the cookies were not deleted ! Here is what the event viewer said:

    "Task Scheduler successfully finished
    "{D4AC8E70-A4F4-409F-9912-E4B1EC320E35}" instance of the
    "\Paul'sTasks\PPADeleteCookies" task for user "WORKGROUP\PARENTSPC$"."

    I also typed "whoami /all" in the command window. There were 23 items in
    the "priveleges information" section, all of them were disabled. I couldn't
    do a copy&paste.
    _______________________________
     
    Paul, Jun 25, 2007
    #15
  16. Paul

    Just a quick tip.

    To copy the text in the command window, click the small icon at the top/left
    of the command window. This will reveal a menu. Click Edit / Select All and
    then press ENTER. This will copy all of the text in the window to the
    clipboard.

    Open an instance of Notepad and Right Click / Paste. You can then edit the
    text to focus on the info you need and then copy/paste the results into your
    newsgroup reply.
     
    Ronnie Vernon MVP, Jun 25, 2007
    #16
  17. Paul

    Jimmy Brush Guest

    Try changing the "command to execute" for the task to:

    c:\windows\system32\cmd.exe /E:ON /C "c:\path\to\file\file.bat"
     
    Jimmy Brush, Jun 26, 2007
    #17
  18. Paul

    Paul Guest

    It works now, thanks Jimmy.

    Paul

    â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•
     
    Paul, Jun 27, 2007
    #18
  19. Paul

    Jimmy Brush Guest

    Glad you got it working :)
     
    Jimmy Brush, Jun 27, 2007
    #19
  20. Paul, when I go to Systems, I am not even listed as "administrator", even
    though in the Control Panel I am listed as the administrator. Every since my
    computer was repaired, someone named 'v' is the administrator, and there
    seems to be
    nothing I can do to change 'v' to my name. I even bought and ran the RegCure
    program which made a scan of everything in my computer and found about one
    million errors! So I am really perplexed! How can I get rid of Mr. 'v' as
    the administrator of MY computer?
     
    Soul Always Sings, Mar 5, 2008
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.