How to permit access to create Scheduled Tasks for non-Admin users

Discussion in 'Windows Server' started by shdowflare, Sep 7, 2007.

  1. shdowflare

    shdowflare Guest

    Hey all,

    We have a few application experts to which we've given user-level RDP access
    to some W2K3 servers. They want to be able to create scheduled tasks that
    will run under their account. By default, non-Admins can't see the Scheduled
    Tasks applet. "Access Denied" is what they see.

    I've seen some GPO config options regarding the Task Scheduler but I can't
    seem to find one that will allow regular system users to create/modify
    scheduled tasks. Can you guys help me out?

    Thanks in advance,
    shdowflare, Sep 7, 2007
    1. Advertisements

  2. shdowflare

    shdowflare Guest

    Thanks Robert. That's what I was looking for.

    shdowflare, Sep 7, 2007
    1. Advertisements

  3. shdowflare

    RC Guest

    This did not work, is there another solution?
    RC, Nov 12, 2007
  4. shdowflare

    jc Guest

    So far this happen to the W2K3 server version. Hopefully microsoft got
    patches on it.
    jc, Jan 9, 2009
  5. shdowflare

    Ralph Avery Guest

    Create a group (either server local, or domain global) Example : "RunTasks"
    Add any members you want to have the ability to run the task to the group.
    Note, creating a domain global group is easier to manage in the long run.
    If the non-administrator account is currently logged on, log off and back on
    to get the new security descriptor.

    Create a temporary folder at c:\ for example: "C:\TempTask"
    Run "Xcopy c:\windows\tasks c:\TempTask"
    Run "Cacls c:\Windows\Tasks > c:\TaskPerms.txt"
    Run "Cacls c:\TempTask /s > c:\Temp\OriginalPermString.Txt (Save this file,
    this has the original permissions in it in case you need to return)
    Default Perm string for c:\Windows\Tasks =
    Edit the permissions on folder c:\TempTask (Add the new group with "Change"
    permissions on the folder, subfolder, and files.
    Run "Cacls C:\TempTask /s > c:\Temp\NewPerms.txt" (The NewPerms.txt file
    will have your new permissions for the Tasks Folder)
    Copy the SDDL string from NewPerms.txt (This is everything in the Quotes ""
    Command as "cacls c:\windows\tasks /s:"the String from the NewPerms.txt
    file" (It may be easier to enter it in Notepad and then copy it as a whole
    Run that command to set the permissions on the c:\windows\tasks folder.

    Set the permissions on the "Task Scheduler" service

    Download Subinacl.exe from Microsoft
    Create a command...
    SubInAcl /Service Schedule /Grant=RunTasks=F (Replace RunTasks with
    domain\username or Domain\Groupname or simply the group name if it's a server
    local group)

    Test the schtasks /Run /TN TaskName command
    Ralph Avery, Jul 17, 2009
  6. shdowflare

    Simone Guest

    If you add the user to the backup operators group you will give them pretty
    high level access to all the data on the server..
    Simone, Feb 2, 2010
  7. shdowflare

    Simone Guest

    Hi Ralph,

    I tried this on a 2003 R2 Sp2 Server and it granted full access to all
    users. Could I have missed a step? I tried it a few times to make sure, but
    it's possible I was missing something..

    I have users that are local power users, and want them to be able to modify,
    view, execute scheduled tasks - without giving them admin access.

    Any suggestions?
    Simone, Feb 2, 2010
  8. shdowflare

    Simone Guest

    Hi Ralph,

    I tried this on a Windows 2003 R2 Sp2 server and it granted full access to
    all users. Even when I remove users from the newly created group, they can
    still open scheduled tasks and modify them (where they used to get access is

    I tried it a few time to make sure I didn't miss any steps. Do you have any
    other suggestions?

    Simone, Feb 2, 2010
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.