TransWikia.com

Allow non-admin user to run scheduled task in Windows Server 2016

Server Fault Asked by richb on December 18, 2020

In previous versions of Windows we could allow a user to execute a scheduled task by granting Read+Execute permissions to the file in WINDOWSSYSTEM32Tasks.

This no longer works in Windows 2016. I tried granting Full access to the MyTask file for Everyone. But still I get:

schtasks.exe /Run /TN "MyTask"
ERROR: Access is denied.

Has anyone figured out how to make this work in Windows 2016?

EDIT: I granted SeBatchLogonRight to the account with ntrights but it made no difference.

One Answer

Magic Code still requires PSExec to elevate permissions to the “System Account” because the registry keys cannot be modified otherwise:

.psexec.exe -s -i powershell.exe

Then we need to get the Account Sid of the applicable object

get-aduser USERNAME | select sid   #Plenty of other ways to accomplish this

# Then we Get SDDL from existing task, to ensure that we maintain the proper owner and creator ID’s
$PathToTask = "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCacheTreeTASKYOUWISHTOALLOWTOBETRIGGERED"
$SDBin =  ( (get-itemProperty $PathToTask).SD )
# the $existingSDDL is the string we will actually be modifying (which is technically of the parent object that we are going to apply the new value to)
$existingSDDL = ([wmiclass]"Win32_SecurityDescriptorHelper").BinarySDToSDDL($SDBin).SDDL
# The result returned below is the interpretation of it in English
$secEnglish = ConvertFrom-SddlString ([wmiclass]"Win32_SecurityDescriptorHelper").BinarySDToSDDL($SDBin).SDDL
$sec.DiscretionaryAcl

# The $existingSDDL will look something akin to the $p1 value
$p1 = 'O:BAG:DUD:(A;ID;0x1f019f;;;BA)(A;ID;0x1f019f;;;SY)(A;ID;FA;;;BA)(A;;FR;;;S-1-5-21-0000000000-111111111-2222222222-3333)'
# We then need to add the appropriate DACL for the account/SID we want to grant permissions to and the FA (File Full Access) permission to the string
$p2 = 'O:BAG:DUD:(A;ID;0x1f019f;;;BA)(A;ID;0x1f019f;;;SY)(A;ID;FA;;;BA)(A;;FR;;;S-1-5-21-0000000000-111111111-2222222222-3333)(A;;FR;;;S-1-5-21-0000000000-111111111-2222222222-9999)'

# We then need to convert the DACL into a binary Value to be applied to the SD (REG_BINARY) ****Value****, not the security of the object but the actual value of the SD Key
$p2BinVal = ([wmiclass]"Win32_SecurityDescriptorHelper").SDDLToBinarySD($p2).BinarySD

#Once we have the proper Binary Value we can update the Value of the Key Set-ItemProperty -Path $PathToTask -Name SD -Value (byte[])

#If the key gets set incorrectly to a different data type along the way you can remove it an recreate remove-itemproperty -path $PathToTask -name "SD" New-ItemProperty -Path $PathToTask -Name SD -PropertyType Binary -Value ([byte[]]$p2BinVal)

DACL/SACL Notes: Header D: = DACL S: = SACL G: = Primary Group O: = Owner DACL & SACL are combination of ACEs enclosed in () 6 Fields ACE Type (allow/deny/audit), ACE flags (inheritance and audit settings), Permissions (list of incremental permissions), ObjectType (GUID), Inherited Object Type (GUID), and Trustee (SID) https://itconnect.uw.edu/wares/msinf/other-help/understanding-sddl-syntax/

Answered by Peter Hebenstreit on December 18, 2020

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP