I've created a Scheduled Task via schtasks.exe so that it runs as an elevated account [A]. However, my reduced privilege account [B] can't manually trigger the task to run through the Task Scheduler or via the CLI.
I have tried:
- Changing the permissions for the the file in
C:\Windows\System32\Tasksto allow [B] account to read and execute. This apparently works in Server 2008, but it didn't seem to work in Server 2016. - Pulled the permissions from the Registry to inspect, but could not edit the Registry SDDL for the task to overwrite the Registry.
- Switched to PowerShell
Register-ScheduledJoband associatedStart-Job, but still doesn't allow the [B] account to trigger the Scheduled Job or Scheduled Task
My intent is to allow the restricted account [B] to run a process without allowing direct access to the files that are ACL restricted to the elevated [A] account. The process needs to run with [A] permissions to access the files and pass the selected data back to process running with [B] permissions.
Note - I'm guessing that I should set up a Service to do this, but I'm trying to do it in scripting. If you have a good example of setting up a System Service, I'll take that as well!
Thanks! :)
