16

At the moment, I have task that is configured to run as user "automatictask"

But the task will not run, "unable to start" is shown.

When I add this user to the Administrators group, then the task runs fine.

But in real life.... I want this user to be SUPER restricted.... ONLY able to run this task, no login rights, no file system rights other than to the one batch file....

I have searched high and low for a document that says "here is the most stripped down, basic user that can run a task" ....

There seems to be no such document!

Suggestions?

Thanks!

Jonesome Reinstate Monica
  • 5,445
  • 10
  • 56
  • 82

1 Answers1

19

Other than the filesystem permissions, you'll need to allow Log on as a batch job. It controls allowing the session to be created for a scheduled task.

The task scheduler should put the user in that allow list when you create the task. You can confirm with the Local Security Policy tool. The other possibility is that it's configured through group policy, in which case, do some digging in the resultant set of policy and find the GPO that needs changed.

Here's the other thing: Check out the permissions on c:\windows\system32\cmd.exe. They're funky. If you've removed the user from the Users group, it can't run cmd.exe by default, which tends to be a big part of running a batch file. Add the user to that ACL, with read/execute. Check any and all executables the batch file needs to touch.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • You need to login as **admin** and grant the already mentioned `Log on as a batch job` permission. Do this via the ntrights.exe from 2003. Its a component of the `Windows 2003 Resource Kit` - google for a download link. The tool still works on **Windows Server 2019**. The right is called `SeBatchLogonRight`. And the full command is: `ntrights -u USERNAME +r SeBatchLogonRight` – FireEmerald May 04 '21 at 15:04
  • Or, to add the user rights, you can use the Local Security Policy MMC, or use the updated and more preferred CLI tool `secedit.exe`. `secedit /` will give you lots of help, and of course, there's online docs from MS. – fourpastmidnight Jan 25 '22 at 15:04
  • Also, I would add that I just found out that adding a scheduled task via script (i.e. PowerShell) DOES NOT automatically add the 'Log on as a batch job' (`SeBatchLogonRight`) user right. So if programmatically creating the task, you'll want to use `secedit.exe` to modify the local security policy of the server. – fourpastmidnight Jan 25 '22 at 15:06