Link to home
Create AccountLog in
Avatar of AGBrown
AGBrownFlag for United Kingdom of Great Britain and Northern Ireland

asked on

What are the minimum security requirements for task scheduler?

I want to copy files from a folder on a target machine to my web server, using a minimum security account. The account I have set up (call it Copier), so far is:
-a member of Users (only)
-is in the Allow Log on locally
-in in the Log on as a batch job

I then have the xcopy job set up. This works if run under a command line that is RunAs Copier.

I have then set up the scheduled task, and run it as Copier. It fails each time with the message "Could not start".

If run with Copier in the Administrator group, it works.

Giving Copier Full permissions to C:\Windows\Task (this was a last resort) did not help.

What have I missed?

Andy
Avatar of Jay_Jay70
Jay_Jay70
Flag of Australia image

Hi AGBrown,

server operators account should allow you to run this, also you need to make sure that you have permissions on the target and destination folders...

Cheers!
Avatar of AGBrown

ASKER

Target and destination folders are fine as it works when run under the command prompt using the Copier account to run cmd.

I should mention that this is not in a domain, it is a standalone web server.
Avatar of AGBrown

ASKER

That problem has been solved by pointing the task at xcopy directly, not at a batch job. So back to the original point of the question - what are the minimum security requirements to get this to work? Can i remove the Copier account from the Users group? Does that increase my security?
i wouldnt remove the copier account from users as i think you will then lose any rights, you can try though, im used to domain environments so i may be a little off on local groups :)
Avatar of AGBrown

ASKER

I gave it a shot, and it still works. But I can't work out why it needs to be in the admin group to run the batch file. It has full permissions on the batch file and all folders higher up than the batch file to the drive root, so that's not it. What else does it need to be able to use the .bat file as the job?
Avatar of AGBrown

ASKER

Curioser. I checked the sceduled tasks log and I got this:
"xcopy test.job" (xcopy foreign.bat) 28/03/2006 17:54:27 ** ERROR **
      Unable to start task.
      The specific error is:
      0x80070005: Access is denied.
      Try using the Task page Browse button to locate the application.

Except, again, the Copier account has no problem executing this task when cmd is run under the copier account.
Avatar of AGBrown

ASKER

I found the answer. I had to give the user account execute permissions on cmd.exe, as this guy found:
http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=43812

So the answer is:
-Create a custom account (Copier in this case)
-Create a custom group (makes it easier to have lots of different copier accounts later on) (call it Copiers)
-Remove Copier from Users, and add it to Copiers
-Add Copiers to the "Allow log on locally" and "Log on as a batch" local security policies
-Ensure minimum "List folder contents permissions" for Copier on its target folder and all containing folders for that folder
-Ensure the same for the folder with the batch job in it
-Ensure minumum permissions for the target folder for the task (for xcopy this is Modify) for Copier
-Ensure Read&Execute on the batch job for Copier
-ENSURE EXECUTE ON CMD.EXE for the Copiers group

Jor this job, you also then need read/list ACL and read share permissions on the source share.

And you don't need the "Access this computer from the network permissions".

Andy
Avatar of AGBrown

ASKER

PS Thanks for the suggestions jay_jay70
its a pleasure mate,

im glad you figured this one out

well done
no complaints :)

cheers
ASKER CERTIFIED SOLUTION
Avatar of GranMod
GranMod

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer