What are the minimum security requirements for task scheduler?

I want to copy files from a folder on a target machine to my web server, using a minimum security account. The account I have set up (call it Copier), so far is:
-a member of Users (only)
-is in the Allow Log on locally
-in in the Log on as a batch job

I then have the xcopy job set up. This works if run under a command line that is RunAs Copier.

I have then set up the scheduled task, and run it as Copier. It fails each time with the message "Could not start".

If run with Copier in the Administrator group, it works.

Giving Copier Full permissions to C:\Windows\Task (this was a last resort) did not help.

What have I missed?

Andy
LVL 12
AGBrownAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jay_Jay70Commented:
Hi AGBrown,

server operators account should allow you to run this, also you need to make sure that you have permissions on the target and destination folders...

Cheers!
AGBrownAuthor Commented:
Target and destination folders are fine as it works when run under the command prompt using the Copier account to run cmd.

I should mention that this is not in a domain, it is a standalone web server.
AGBrownAuthor Commented:
That problem has been solved by pointing the task at xcopy directly, not at a batch job. So back to the original point of the question - what are the minimum security requirements to get this to work? Can i remove the Copier account from the Users group? Does that increase my security?
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Jay_Jay70Commented:
i wouldnt remove the copier account from users as i think you will then lose any rights, you can try though, im used to domain environments so i may be a little off on local groups :)
AGBrownAuthor Commented:
I gave it a shot, and it still works. But I can't work out why it needs to be in the admin group to run the batch file. It has full permissions on the batch file and all folders higher up than the batch file to the drive root, so that's not it. What else does it need to be able to use the .bat file as the job?
AGBrownAuthor Commented:
Curioser. I checked the sceduled tasks log and I got this:
"xcopy test.job" (xcopy foreign.bat) 28/03/2006 17:54:27 ** ERROR **
      Unable to start task.
      The specific error is:
      0x80070005: Access is denied.
      Try using the Task page Browse button to locate the application.

Except, again, the Copier account has no problem executing this task when cmd is run under the copier account.
AGBrownAuthor Commented:
I found the answer. I had to give the user account execute permissions on cmd.exe, as this guy found:
http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=43812

So the answer is:
-Create a custom account (Copier in this case)
-Create a custom group (makes it easier to have lots of different copier accounts later on) (call it Copiers)
-Remove Copier from Users, and add it to Copiers
-Add Copiers to the "Allow log on locally" and "Log on as a batch" local security policies
-Ensure minimum "List folder contents permissions" for Copier on its target folder and all containing folders for that folder
-Ensure the same for the folder with the batch job in it
-Ensure minumum permissions for the target folder for the task (for xcopy this is Modify) for Copier
-Ensure Read&Execute on the batch job for Copier
-ENSURE EXECUTE ON CMD.EXE for the Copiers group

Jor this job, you also then need read/list ACL and read share permissions on the source share.

And you don't need the "Access this computer from the network permissions".

Andy
AGBrownAuthor Commented:
PS Thanks for the suggestions jay_jay70
Jay_Jay70Commented:
its a pleasure mate,

im glad you figured this one out

well done
Jay_Jay70Commented:
no complaints :)

cheers
GranModCommented:
Closed, 500 points refunded.
GranMod
The Experts Exchange
Community Support Moderator of all Ages

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.