What are the minimum security requirements for task scheduler?

I want to copy files from a folder on a target machine to my web server, using a minimum security account. The account I have set up (call it Copier), so far is:
-a member of Users (only)
-is in the Allow Log on locally
-in in the Log on as a batch job

I then have the xcopy job set up. This works if run under a command line that is RunAs Copier.

I have then set up the scheduled task, and run it as Copier. It fails each time with the message "Could not start".

If run with Copier in the Administrator group, it works.

Giving Copier Full permissions to C:\Windows\Task (this was a last resort) did not help.

What have I missed?

LVL 12
Who is Participating?
Closed, 500 points refunded.
The Experts Exchange
Community Support Moderator of all Ages
Hi AGBrown,

server operators account should allow you to run this, also you need to make sure that you have permissions on the target and destination folders...

AGBrownAuthor Commented:
Target and destination folders are fine as it works when run under the command prompt using the Copier account to run cmd.

I should mention that this is not in a domain, it is a standalone web server.
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

AGBrownAuthor Commented:
That problem has been solved by pointing the task at xcopy directly, not at a batch job. So back to the original point of the question - what are the minimum security requirements to get this to work? Can i remove the Copier account from the Users group? Does that increase my security?
i wouldnt remove the copier account from users as i think you will then lose any rights, you can try though, im used to domain environments so i may be a little off on local groups :)
AGBrownAuthor Commented:
I gave it a shot, and it still works. But I can't work out why it needs to be in the admin group to run the batch file. It has full permissions on the batch file and all folders higher up than the batch file to the drive root, so that's not it. What else does it need to be able to use the .bat file as the job?
AGBrownAuthor Commented:
Curioser. I checked the sceduled tasks log and I got this:
"xcopy test.job" (xcopy foreign.bat) 28/03/2006 17:54:27 ** ERROR **
      Unable to start task.
      The specific error is:
      0x80070005: Access is denied.
      Try using the Task page Browse button to locate the application.

Except, again, the Copier account has no problem executing this task when cmd is run under the copier account.
AGBrownAuthor Commented:
I found the answer. I had to give the user account execute permissions on cmd.exe, as this guy found:

So the answer is:
-Create a custom account (Copier in this case)
-Create a custom group (makes it easier to have lots of different copier accounts later on) (call it Copiers)
-Remove Copier from Users, and add it to Copiers
-Add Copiers to the "Allow log on locally" and "Log on as a batch" local security policies
-Ensure minimum "List folder contents permissions" for Copier on its target folder and all containing folders for that folder
-Ensure the same for the folder with the batch job in it
-Ensure minumum permissions for the target folder for the task (for xcopy this is Modify) for Copier
-Ensure Read&Execute on the batch job for Copier
-ENSURE EXECUTE ON CMD.EXE for the Copiers group

Jor this job, you also then need read/list ACL and read share permissions on the source share.

And you don't need the "Access this computer from the network permissions".

AGBrownAuthor Commented:
PS Thanks for the suggestions jay_jay70
its a pleasure mate,

im glad you figured this one out

well done
no complaints :)

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.