0

I am trying to grant some permissions for "NonAdmin" user for "Task Scheduler".

If you execute this command:

PS > C:\Windows\System32\sc.exe queryex type= service state=all

you can find that "Task Scheduler" service name is "Scheduler":

SERVICE_NAME: Schedule
DISPLAY_NAME: Task Scheduler

Then I tried to run simple command to display existing rights:

PS >.\subinacl.exe /Service Schedule /display=dacl

Tried to grant some rights:

PS >.\subinacl.exe /Service Schedule /grant=NonAdmin=R

But both commands are throwing Access is denied:

Schedule - OpenService Error : 5 Access is denied.


Elapsed Time: 00 00:00:00
Done:        1, Modified        0, Failed        1, Syntax errors        0
Last Done  : Schedule
Last Failed: Schedule - OpenService Error : 5 Access is denied.

My environment: OS: Windows 8.1 Enterprise; Workgroup: connected to domain (also tried on VM not connected to domain - same access denied); I am administrator; I run PowerShell as administrator.

How I can solve this "Access denied" issues and grant some rights for NonAdmin user for the "Task Scheduler" ?

Updated 28/11/2017:

With RbMm help I gave permissions for the use, he can create new scheduled task now. One problem left that he can`t delete/remove that created task. I giving all most all grants to the user:

"(A;;GAGRGWGXRCSDCCDCLCSWRPWPDTLOCRSDRCFAFRFWFX;;;<USER_SID>)"

But I still get this error when try to delete/remove scheduled task: 

The error returned is: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Notes:

  • This is domain user.
  • I tried to give permissions for the %windir%\Tasks for that user, but it did not helped.

What I am missing, why user can`t delete task?

Drasius
  • 825
  • 1
  • 11
  • 26
  • 1
    this is bug in `subinacl.exe` - instead of open service with `READ_CONTROL|WRITE_DAC` access, it try open it with `GENERIC_ALL|ACCESS_SYSTEM_SECURITY` as result got access denied. possible implement this task yourself using winapi – RbMm Nov 24 '17 at 14:01
  • What you mean by "winapi" -> sc command? An how to report bug to MS, that they fix it :), but I see last time it was updated in 2012, so not much hope that it will be fixed... – Drasius Nov 24 '17 at 14:26
  • i mean do this yourself, as programmer. so call `OpenSCManager`, `OpenService`, `QueryServiceObjectSecurity`, `SetServiceObjectSecurity`, `CloseServiceHandle`. problem with `subinacl.exe` that it try open service with `GENERIC_ALL` access right. but `schedule` not grant full access for admin - as result and access denied. – RbMm Nov 24 '17 at 14:32
  • really on `schedule` admin have no next access - `DELETE|SERVICE_STOP|SERVICE_CHANGE_CONFIG` - you can view that say in *services* snapin from admin tools, you can not change startup type, or stop this service, unlike most other. however very easy by using winapi open this service with correct access - `READ_CONTROL`(need for query) + `WRITE_DAC`(need for change security) - admin have both this access – RbMm Nov 24 '17 at 14:37

1 Answers1

1

you can use sc sdshow schedule command for view schedule security descriptor. by default it return string like D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPDTLOCRRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) this mean:

T FL AcessMsK Sid
A 00 0002008D S-1-5-11 'Authenticated Users'
A 00 000E01DD S-1-5-32-544 'Administrators'
A 00 000F01FF S-1-5-18 'SYSTEM'
A 00 0002008D S-1-5-32-545 'Users'

note that Administrator not have full access on this service, only E01DD (not have DELETE|SERVICE_STOP|SERVICE_CHANGE_CONFIG)

for change we can use for example sc sdset schedule D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BU)

this mean next access:

T FL AcessMsK Sid
A 00 0002008D S-1-5-11 'Authenticated Users'
A 00 000F01FF S-1-5-32-544 'Administrators'
A 00 000F01FF S-1-5-18 'SYSTEM'
A 00 000F01FF S-1-5-32-545 'Users'

so users, Administrators, and SYSTEM have full access (F01FF), if you want another access combination - look Security Descriptor String Format

RbMm
  • 31,280
  • 3
  • 35
  • 56
  • Thanks finally understood these strings. At first glance it is deep forest, thats why we using "subinacl". This link explains ACE string values: https://msdn.microsoft.com/en-us/library/windows/desktop/aa374928(v=vs.85).aspx – Drasius Nov 27 '17 at 07:17
  • I have left one issue. I giving all most all rights for the user "(A;;GAGRGWGXRCSDCCDCLCSWRPWPDTLOCRSDRCFAFRFWFX;;;)", but I still get "The error returned is: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))" error when trying to delete/remove scheduled task. – Drasius Nov 28 '17 at 07:20
  • @Drasius - this is access to the **service** itself. it let (or not) you open/start/stop service. change it config. if you set this sid - you can say stop service. change it startup type. but **scheduled task** this is absolute another. it have **separate** from service access. you need use [IRegisteredTask::SetSecurityDescriptor](https://msdn.microsoft.com/en-us/library/windows/desktop/aa380769(v=vs.85).aspx) for this. really task is file - need set DACL on this file – RbMm Nov 28 '17 at 10:39
  • @Drasius - read [*By default, a user who creates a task can read, update, delete, and run the task. A user must have file write permission on a task file to update a task, file read permission on a task file to read a task, delete permission on a task file to delete a task, and file execute permission on a task to run a task*](https://msdn.microsoft.com/en-us/library/windows/desktop/aa382140(v=vs.85).aspx) – RbMm Nov 28 '17 at 10:40
  • @Drasius - so security on service (schedule) this is one, security on concrete task(file) this is another. different things – RbMm Nov 28 '17 at 10:41