[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 393
  • Last Modified:

What are the minimum security requirements for task scheduler?

I want to copy files from a folder on a target machine to my web server, using a minimum security account. The account I have set up (call it Copier), so far is:
-a member of Users (only)
-is in the Allow Log on locally
-in in the Log on as a batch job

I then have the xcopy job set up. This works if run under a command line that is RunAs Copier.

I have then set up the scheduled task, and run it as Copier. It fails each time with the message "Could not start".

If run with Copier in the Administrator group, it works.

Giving Copier Full permissions to C:\Windows\Task (this was a last resort) did not help.

What have I missed?

Andy
0
AGBrown
Asked:
AGBrown
  • 6
  • 4
1 Solution
 
Jay_Jay70Commented:
Hi AGBrown,

server operators account should allow you to run this, also you need to make sure that you have permissions on the target and destination folders...

Cheers!
0
 
AGBrownAuthor Commented:
Target and destination folders are fine as it works when run under the command prompt using the Copier account to run cmd.

I should mention that this is not in a domain, it is a standalone web server.
0
 
AGBrownAuthor Commented:
That problem has been solved by pointing the task at xcopy directly, not at a batch job. So back to the original point of the question - what are the minimum security requirements to get this to work? Can i remove the Copier account from the Users group? Does that increase my security?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Jay_Jay70Commented:
i wouldnt remove the copier account from users as i think you will then lose any rights, you can try though, im used to domain environments so i may be a little off on local groups :)
0
 
AGBrownAuthor Commented:
I gave it a shot, and it still works. But I can't work out why it needs to be in the admin group to run the batch file. It has full permissions on the batch file and all folders higher up than the batch file to the drive root, so that's not it. What else does it need to be able to use the .bat file as the job?
0
 
AGBrownAuthor Commented:
Curioser. I checked the sceduled tasks log and I got this:
"xcopy test.job" (xcopy foreign.bat) 28/03/2006 17:54:27 ** ERROR **
      Unable to start task.
      The specific error is:
      0x80070005: Access is denied.
      Try using the Task page Browse button to locate the application.

Except, again, the Copier account has no problem executing this task when cmd is run under the copier account.
0
 
AGBrownAuthor Commented:
I found the answer. I had to give the user account execute permissions on cmd.exe, as this guy found:
http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=43812

So the answer is:
-Create a custom account (Copier in this case)
-Create a custom group (makes it easier to have lots of different copier accounts later on) (call it Copiers)
-Remove Copier from Users, and add it to Copiers
-Add Copiers to the "Allow log on locally" and "Log on as a batch" local security policies
-Ensure minimum "List folder contents permissions" for Copier on its target folder and all containing folders for that folder
-Ensure the same for the folder with the batch job in it
-Ensure minumum permissions for the target folder for the task (for xcopy this is Modify) for Copier
-Ensure Read&Execute on the batch job for Copier
-ENSURE EXECUTE ON CMD.EXE for the Copiers group

Jor this job, you also then need read/list ACL and read share permissions on the source share.

And you don't need the "Access this computer from the network permissions".

Andy
0
 
AGBrownAuthor Commented:
PS Thanks for the suggestions jay_jay70
0
 
Jay_Jay70Commented:
its a pleasure mate,

im glad you figured this one out

well done
0
 
Jay_Jay70Commented:
no complaints :)

cheers
0
 
GranModCommented:
Closed, 500 points refunded.
GranMod
The Experts Exchange
Community Support Moderator of all Ages
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now