AGBrown
asked on
What are the minimum security requirements for task scheduler?
I want to copy files from a folder on a target machine to my web server, using a minimum security account. The account I have set up (call it Copier), so far is:
-a member of Users (only)
-is in the Allow Log on locally
-in in the Log on as a batch job
I then have the xcopy job set up. This works if run under a command line that is RunAs Copier.
I have then set up the scheduled task, and run it as Copier. It fails each time with the message "Could not start".
If run with Copier in the Administrator group, it works.
Giving Copier Full permissions to C:\Windows\Task (this was a last resort) did not help.
What have I missed?
Andy
-a member of Users (only)
-is in the Allow Log on locally
-in in the Log on as a batch job
I then have the xcopy job set up. This works if run under a command line that is RunAs Copier.
I have then set up the scheduled task, and run it as Copier. It fails each time with the message "Could not start".
If run with Copier in the Administrator group, it works.
Giving Copier Full permissions to C:\Windows\Task (this was a last resort) did not help.
What have I missed?
Andy
ASKER
Target and destination folders are fine as it works when run under the command prompt using the Copier account to run cmd.
I should mention that this is not in a domain, it is a standalone web server.
I should mention that this is not in a domain, it is a standalone web server.
ASKER
That problem has been solved by pointing the task at xcopy directly, not at a batch job. So back to the original point of the question - what are the minimum security requirements to get this to work? Can i remove the Copier account from the Users group? Does that increase my security?
i wouldnt remove the copier account from users as i think you will then lose any rights, you can try though, im used to domain environments so i may be a little off on local groups :)
ASKER
I gave it a shot, and it still works. But I can't work out why it needs to be in the admin group to run the batch file. It has full permissions on the batch file and all folders higher up than the batch file to the drive root, so that's not it. What else does it need to be able to use the .bat file as the job?
ASKER
Curioser. I checked the sceduled tasks log and I got this:
"xcopy test.job" (xcopy foreign.bat) 28/03/2006 17:54:27 ** ERROR **
Unable to start task.
The specific error is:
0x80070005: Access is denied.
Try using the Task page Browse button to locate the application.
Except, again, the Copier account has no problem executing this task when cmd is run under the copier account.
"xcopy test.job" (xcopy foreign.bat) 28/03/2006 17:54:27 ** ERROR **
Unable to start task.
The specific error is:
0x80070005: Access is denied.
Try using the Task page Browse button to locate the application.
Except, again, the Copier account has no problem executing this task when cmd is run under the copier account.
ASKER
I found the answer. I had to give the user account execute permissions on cmd.exe, as this guy found:
http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=43812
So the answer is:
-Create a custom account (Copier in this case)
-Create a custom group (makes it easier to have lots of different copier accounts later on) (call it Copiers)
-Remove Copier from Users, and add it to Copiers
-Add Copiers to the "Allow log on locally" and "Log on as a batch" local security policies
-Ensure minimum "List folder contents permissions" for Copier on its target folder and all containing folders for that folder
-Ensure the same for the folder with the batch job in it
-Ensure minumum permissions for the target folder for the task (for xcopy this is Modify) for Copier
-Ensure Read&Execute on the batch job for Copier
-ENSURE EXECUTE ON CMD.EXE for the Copiers group
Jor this job, you also then need read/list ACL and read share permissions on the source share.
And you don't need the "Access this computer from the network permissions".
Andy
http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=43812
So the answer is:
-Create a custom account (Copier in this case)
-Create a custom group (makes it easier to have lots of different copier accounts later on) (call it Copiers)
-Remove Copier from Users, and add it to Copiers
-Add Copiers to the "Allow log on locally" and "Log on as a batch" local security policies
-Ensure minimum "List folder contents permissions" for Copier on its target folder and all containing folders for that folder
-Ensure the same for the folder with the batch job in it
-Ensure minumum permissions for the target folder for the task (for xcopy this is Modify) for Copier
-Ensure Read&Execute on the batch job for Copier
-ENSURE EXECUTE ON CMD.EXE for the Copiers group
Jor this job, you also then need read/list ACL and read share permissions on the source share.
And you don't need the "Access this computer from the network permissions".
Andy
ASKER
PS Thanks for the suggestions jay_jay70
its a pleasure mate,
im glad you figured this one out
well done
im glad you figured this one out
well done
no complaints :)
cheers
cheers
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
server operators account should allow you to run this, also you need to make sure that you have permissions on the target and destination folders...
Cheers!