1

Is it possible to run CMD script in task scheduler as a particular user without checkin option "Run with highest privileges"?

Simple test:

  1. Create D:\Admin\Scripts\TestScripts\testscript.cmd
  2. Script is very simple: echo success > D:\Admin\Scripts\TestScripts\out.txt
  3. Grant full permissions to user mydoman\admin (member of Domain Admins group that is included in local Administrators group when server is domain member) to D:\Admin\Scripts\TestScripts and all subdirs and files
  4. Create task with action:
    • command: D:\Admin\Scripts\TestScripts\testscript.cmd
    • start in: D:\Admin\Scripts\TestScripts
  5. Change user to mydoman\admin
  6. Select "Run whether user is logged on of not"
  7. DO NOT select "Run with highest privileges"
  8. OK, enter password, done

Start task manually, and it finishes with code 0x1.

If I check "Run with highest privileges" option it runs fune. out.txt file is created.

The same effect is when the task created with parameters:

  • command: cmd.exe
  • args: /c D:\Admin\Scripts\TestScripts\testscript.cmd
  • start in: D:\Admin\Scripts\TestScripts

The questions are:

  1. Is it mandatory to check "Run with highest privileges"?
  2. Can the CMD script run without highest privileges?
  3. Does MS has any article with clear explanation how and why run CMD files in Task Scheduler?
Vladimir Yumashev
  • 11
  • 1
  • 2
  • 2
    I'm not able to reproduce this problem. Can you include the output of the command: ICACLS D:\Admin\Scripts\TestScripts – Greg Askew Sep 07 '13 at 16:09

2 Answers2

1

This is UAC kicking in. Long story short, you need to provide write access to the target directory for the given user, WITHOUT relying on the user's membership of the Administrators group.

e.g.: if the ACLs for the current directory are:

Administrators:(OI)(CI)(F)
SYSTEM:(OI)(CI)(F)
Authenticated Users:(OI)(CI)(RX)

...you need to either add a direct ACL entry, e.g.: username:(OI)(CI)(M) or an ACL entry for a group that the user is a member of.

The reason being, UAC is preventing the membership of the Administrators group having any affect, without prior elevation. This is by design.

I hope this makes sense.

Simon Catlin
  • 5,232
  • 3
  • 17
  • 20
0
  1. No
  2. Yes

As long as your (admin) user, who runs the tasks can perform the same operation on a normal non-elevated command prompt, it should also work through task scheduler.

Most likely your admin user needs elevation to write a file in that directory. So the same is true via the task.

"Run with highest privileges" just tells the task scheduler to elevate the user first before executing the command.

Try writing a file in a directory where 'users' have write permissions, it will work without 'highest privileges'

Peter Hahndorf
  • 14,058
  • 3
  • 41
  • 58