AFAIT
asked on
Secure a scheduled task? Third party software maybe?
Hi,
Does anyone know a way of locking down a scheduled task so that no one locally can modify or delete it? (WinXPPro and W2KPro) I can create a scheduled task on all of my users workstations but I can't seem to find a way to stop the users from deleting it or modifying it.
If there is no way of doing this is the OS...does anyone know of a peice of third party software that can do this?
Any help would be greatly appreciated. If could offer more points on this I would because I have a feeling this is a doozy of a question. :)
Thank you in advance
Does anyone know a way of locking down a scheduled task so that no one locally can modify or delete it? (WinXPPro and W2KPro) I can create a scheduled task on all of my users workstations but I can't seem to find a way to stop the users from deleting it or modifying it.
If there is no way of doing this is the OS...does anyone know of a peice of third party software that can do this?
Any help would be greatly appreciated. If could offer more points on this I would because I have a feeling this is a doozy of a question. :)
Thank you in advance
ASKER
Sorry...I forgot to mention a big peice of the puzzle...my users are all members of the local admin group... So this won't work.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I fear you should create another group of admins, which doesnt have that much power. Since Admins should be able to do everything.
Every program you install they can deinstall, or change permissions for doing it. So you must bind them to a sandbox, so you have more
rights them they have. i think in windows you can modify also which program which users can open, but if they have admin rights they can change it.
Maybe a program installed in the registry which would start on start up, and run all time, keeping and monitoring the tasks (or even starting these tasks) could be a solution, but it would be like a trojan, when they discover, au revoir solution.
Every program you install they can deinstall, or change permissions for doing it. So you must bind them to a sandbox, so you have more
rights them they have. i think in windows you can modify also which program which users can open, but if they have admin rights they can change it.
Maybe a program installed in the registry which would start on start up, and run all time, keeping and monitoring the tasks (or even starting these tasks) could be a solution, but it would be like a trojan, when they discover, au revoir solution.
ASKER
inbarasan,
I never really thought of doing it this way (server-side push)...though it might work. Basically I want to create a batch file that checks to see when the last time was that a user logged off and if it was more than a set number of days, it will tell them to log out. I kind of like the idea of having a server-side push of this task but I would have to get a list of all workstations and somehow pass that to the batch file...I will look into this and see what I can do and get back. ...may cause more network traffic than I am willing to allow for this...only one way to find out. :)
iskywalker,
Although I really appreciate your thoughts, I am not so sure that the new group suggestion would work...I cannot get into changing rights of the local admin group at this moment.
I never really thought of doing it this way (server-side push)...though it might work. Basically I want to create a batch file that checks to see when the last time was that a user logged off and if it was more than a set number of days, it will tell them to log out. I kind of like the idea of having a server-side push of this task but I would have to get a list of all workstations and somehow pass that to the batch file...I will look into this and see what I can do and get back. ...may cause more network traffic than I am willing to allow for this...only one way to find out. :)
iskywalker,
Although I really appreciate your thoughts, I am not so sure that the new group suggestion would work...I cannot get into changing rights of the local admin group at this moment.
well the idea of inbarasan is interesting, the list of host is easy, you should just make a command to log in and tell the name of the computer.
The problem the users can still block the port of the service. since they are still admin. You must act like a trojan, since you must pass through their confidence.
The problem the users can still block the port of the service. since they are still admin. You must act like a trojan, since you must pass through their confidence.
ASKER
Before the scheduled task is executed on the server, it needs the computer list...so wouldnt I need to create another scheduled task to query AD for all computers and redirect that to a text file? Then pass the text file to the scheduled batch file?
net view
Execute this command then you will receive updated list of computers
Execute this command then you will receive updated list of computers
ASKER
...Is there a way of using net view for a specific OU and sub OUs of that one?
Actually Net view will get a list of all the computers which you can see in Network neibourhood. You may look at dsquery tool to query against OU's and take the list.
ASKER
Awesome, I will look at that and get back. Thank you very much for your help.
ASKER
You were a huge help inbarasan!
Thank you!
Thank you!
Only the users part of Administartor group can modify/add/delete Scheduled tasks. So if you restrict this then you can lock users doing anything on the tasks
Cheers!