Solved

Secure a scheduled task? Third party software maybe?

Posted on 2006-11-06
12
352 Views
Last Modified: 2008-03-06
Hi,
Does anyone know a way of locking down a scheduled task so that no one locally can modify or delete it?  (WinXPPro and W2KPro)  I can create a scheduled task on all of my users workstations but I can't seem to find a way to stop the users from deleting it or modifying it.  
If there is no way of doing this is the OS...does anyone know of a peice of third party software that can do this?
Any help would be greatly appreciated.  If  could offer more points on this I would because I have a feeling this is a doozy of a question.  :)
Thank you in advance
0
Comment
Question by:AFAIT
  • 6
  • 4
  • 2
12 Comments
 
LVL 14

Expert Comment

by:inbarasan
ID: 17880783
Dear AFAIT,
Only the users part of Administartor group can modify/add/delete Scheduled tasks. So if you restrict this then you can lock users doing anything on the tasks

Cheers!
0
 

Author Comment

by:AFAIT
ID: 17880795
Sorry...I forgot to mention a big peice of the puzzle...my users are all members of the local admin group...  So this won't work.
0
 
LVL 14

Accepted Solution

by:
inbarasan earned 500 total points
ID: 17880839
AFAIT,
Then you may do this way. Schedule tasks on a server in which users can't login and remotly execute the commands from the server on your client systems
You can download psexec.exe freeware tool from www.sysinternals.com This tool is part pstools package.

Check whether this idea works
0
 
LVL 6

Expert Comment

by:_iskywalker_
ID: 17880869
I fear you should create another group of admins, which doesnt have that much power. Since Admins should be able to do everything.
Every program you install they can deinstall, or change permissions for doing it. So you must bind them to a sandbox, so you have more
rights them they have. i think in windows you can modify also which program which users can open, but if they have admin rights they can change it.
Maybe a program installed in the registry which would start on start up, and run all time, keeping and monitoring the tasks (or even starting these tasks) could be a solution, but it would be like a trojan, when they discover, au revoir solution.
0
 

Author Comment

by:AFAIT
ID: 17880908
inbarasan,
I never really thought of doing it this way (server-side push)...though it might work.  Basically I want to create a batch file that checks to see when the last time was that a user logged off and if it was more than a set number of days, it will tell them to log out.  I kind of like the idea of having a server-side push of this task but I would have to get a list of all workstations and somehow pass that to the batch file...I will look into this and see what I can do and get back.  ...may cause more network traffic than I am willing to allow for this...only one way to find out.  :)

iskywalker,
Although I really appreciate your thoughts, I am not so sure that the new group suggestion would work...I cannot get into changing rights of the local admin group at this moment.
0
 
LVL 6

Expert Comment

by:_iskywalker_
ID: 17880957
well the idea of inbarasan is interesting, the list of host is easy, you should just make a command to log in and tell the name of the computer.
The problem the users can still block the port of the service. since they are still admin. You must act like a trojan, since you must pass through their confidence.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:AFAIT
ID: 17881035
Before the scheduled task is executed on the server, it needs the computer list...so wouldnt I need to create another scheduled task to query AD for all computers and redirect that to a text file?  Then pass the text file to the scheduled batch file?
0
 
LVL 14

Expert Comment

by:inbarasan
ID: 17881057
net view

Execute this command then you will receive updated list of computers
0
 

Author Comment

by:AFAIT
ID: 17881065
...Is there a way of using net view for a specific OU and sub OUs of that one?
0
 
LVL 14

Expert Comment

by:inbarasan
ID: 17881107
Actually Net view will get a list of all the computers which you can see in Network neibourhood. You may look at dsquery tool to query against OU's and take the list.
0
 

Author Comment

by:AFAIT
ID: 17881208
Awesome, I will look at that and get back.  Thank you very much for your help.
0
 

Author Comment

by:AFAIT
ID: 17883051
You were a huge help inbarasan!
Thank you!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Just about everyone has an old PC laying around.  Ask anyone in the IT industry, whether they are a professional or play in it as a hobby.  From outdated Desktops to cheap "throwaway" laptops, they are all around and not as hard to "fix up" as you m…
I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now