?
Solved

Can't run Scheduled Task with non-Admin

Posted on 2007-10-12
23
Medium Priority
?
12,583 Views
Last Modified: 2011-02-24
I have a domain account that I want to use to run a Scheduled Task.  I have read several posts here regarding necessary permissions for an account to run a Scheduled Task on a Windows 2003 Server machine, and have applied the necessary permissions, but I still can't get it to work.
I get the following in the log:
-------------------------
"File Deployer Step 3.job" (3_BatchMoveToRs820VolStage.bat) 10/12/2007 11:37:00 AM ** ERROR **
      Unable to start task.
      The specific error is:
      0x80070005: Access is denied.
      Try using the Task page Browse button to locate the application.
--------------------------

First off, if I add this acct to the Administrators group, everything runs fine.  However, I don't want to do that.  I added it to the Backup Operators group, which supposedly has enough rights, but nothing.  The user has NTFS permissions to all the folders where the batch file resides, and everything else that the batch file "touches" or interacts with.  I also used CACLS to grant permissions to the Tasks folder (Full Access), but to no avail.  The user has the following User Rights assigned:
-Access this computer from the network (read somewhere it was needed)
-Allow log on locally
-Log on as a bacth job
-Log on as a service

I created this Task with another user (an Admin) and it runs fine using those credentials and while logged on as the admin user.  However, when I change the credentials to the non-admin user's, I get the message above.  If I log-in to the server with the non-admin account and run the task with the non-admin's credentials, it runs fine!  But then when I go to look at the log later, I see the error above when it runs at the scheduled times.

Any ideas?  Am I missing something?  I've rebooted the machine after applying the user rights and all, with no results.  Please help!

Thanks in advance!
0
Comment
Question by:cheluto2
  • 10
  • 9
  • 2
  • +2
23 Comments
 
LVL 5

Expert Comment

by:fmonroy
ID: 20067397
have you checked the permissions on the scheduled task?

if not, go to scheduled tasks, right click your task and select properties, then go to security tab; your domain account should have at least read and exec permissions.
0
 
LVL 9

Expert Comment

by:Brugh
ID: 20067523
^ that's what i was thinking.
0
 
LVL 5

Expert Comment

by:fmonroy
ID: 20067538
don't read my mind plz :)
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 1

Author Comment

by:cheluto2
ID: 20067799
Yes.  I forgot to mention that, but I did add that account to the list with the max permissions.
0
 
LVL 5

Expert Comment

by:fmonroy
ID: 20067828
check the system log for an specific access denied message.
I see it'a a bat file, did you check file permissions on commands the bat is calling?
0
 
LVL 1

Author Comment

by:cheluto2
ID: 20067935
No entries in the system log, and yes, the batch file has the right permissions, as well as the one command it executes, which is a call to WSFTP Pro using the command line.  The user has Full Access to the WSFTP Pro folder as well as all other folders that I can see are used for it.  

By the way, the Status in the Scheduled Tasks window reads "Could not start", so I get the feeling it is not even starting the job to even get to try to execute the command.  Is this possible?
0
 
LVL 5

Expert Comment

by:fmonroy
ID: 20067992
Ok, recheck plz at its properties on the task tab the "Run as" part: Verify the correct DOMANI\USERNAME and set the correct password.

Also: UNCHECK "Run only if logged on" check box and CHECK the enabled check box.
0
 
LVL 1

Author Comment

by:cheluto2
ID: 20068128
It's been checked and re-checked over and over.  Also remember that if the credentials entered are incorrect you cannot save the changes to the task itself.

"Run only if logged on" is un-checked, "Enabled" is checked.

Permissions for the user in the Task are set to "Full Control"
0
 
LVL 5

Expert Comment

by:fmonroy
ID: 20068215
when is it scheduled to run?
0
 
LVL 1

Author Comment

by:cheluto2
ID: 20068293
It's scheduled to run "Every 30 minutes from 6:07am for 16 hours every day"

Does it matter when it is scheduled to run?

I just created a new identical job (different name, of course) while logged in as this non-admin user, and am waiting to see if this one will run for some reason.
0
 
LVL 5

Expert Comment

by:fmonroy
ID: 20068334
A few differences, but not in your case.

Please tell us the results of using the new job.

You can try running a simple explorer command to discard any problem related to the bat file.
0
 
LVL 1

Author Comment

by:cheluto2
ID: 20068615
Ok, here's what I've found.

Even though the option that says "Run only if logged on" is un-checked, the job only runs successfully if that user is logged on.  I logged on as that user to test the batch file, and it just happened to be I was logged in when the scheduled time came, and the command window poppped up while the task ran, and the log shows that it ran successfully (?!?!?)

So the user appears to have all the permissions, but if it is not logged on, the job does not run.  And if I log in as another user and try to run it manually, it does not run either ("Could not start").  Any more ideas?  This is a little frustrating.  I am trying to understand why it works if I setup the user as an admin or if the user is logged in (even if not in the Admin group), but not otherwise.  It sounds (and the error states it) like a permissions issue, but to what?
0
 
LVL 5

Expert Comment

by:fmonroy
ID: 20068637
You set the "Log on as a bacth job" permission for the user, but sometimes it needs a restart to make it effective, did you restart te system after setting that permission?
0
 
LVL 1

Author Comment

by:cheluto2
ID: 20068715
Yes.  I restarted the server after I granted all those rights as per another article I found, but I will restart it again and see if I have any luck.
0
 
LVL 1

Author Comment

by:cheluto2
ID: 20069031
I restarted the machine with no luck.  I monitored the Security Event Log, and these are the entries recorded when I run the job manually while logged on as another user (an Admin), and the job is setup to run with the non-Admin user.  The "*****" are the non-Admin user's ID and domain.  Does anybody see any clues here?

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      528
Date:            10/12/2007
Time:            4:22:25 PM
User:            ************
Computer:      SW820VOLWQA01
Description:
Successful Logon:
       User Name:      ******
       Domain:            ******
       Logon ID:            (0x0,0x92200)
       Logon Type:      4
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      SW820VOLWQA01
       Logon GUID:      {faf71e23-1cd4-b708-512b-a2d22199b445}
       Caller User Name:      SW820VOLWQA01$
       Caller Domain:      LA
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 832
       Transited Services: -
       Source Network Address:      -
       Source Port:      -

-----------------------------------------------------------------------------

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      576
Date:            10/12/2007
Time:            4:22:25 PM
User:            *********
Computer:      *********
Description:
Special privileges assigned to new logon:
       User Name:      **********
       Domain:            **********
       Logon ID:            (0x0,0x92200)
       Privileges:      SeBackupPrivilege
                  SeRestorePrivilege

-----------------------------------------------------------------------------

Event Type:      Success Audit
Event Source:      Security
Event Category:      Object Access
Event ID:      560
Date:            10/12/2007
Time:            4:22:25 PM
User:            NT AUTHORITY\SYSTEM
Computer:      SW820VOLWQA01
Description:
Object Open:
       Object Server:      Security
       Object Type:      File
       Object Name:      C:\WINNT\Tasks\File Deployer Step_3.job
       Handle ID:      3220
       Operation ID:      {0,598936}
       Process ID:      832
       Image File Name:      C:\WINNT\system32\svchost.exe
       Primary User Name:      SW820VOLWQA01$
       Primary Domain:      LA
       Primary Logon ID:      (0x0,0x3E7)
       Client User Name:      -
       Client Domain:      -
       Client Logon ID:      -
       Accesses:      READ_CONTROL
                  SYNCHRONIZE
                  WriteData (or AddFile)
                  AppendData (or AddSubdirectory or CreatePipeInstance)
                  WriteEA
                  ReadAttributes
                  WriteAttributes
                  
       Privileges:      -
       Restricted Sid Count:      0
       Access Mask:      0x120196

-----------------------------------------------------------------------------

Event Type:      Success Audit
Event Source:      Security
Event Category:      Object Access
Event ID:      567
Date:            10/12/2007
Time:            4:22:25 PM
User:            NT AUTHORITY\SYSTEM
Computer:      SW820VOLWQA01
Description:
Object Access Attempt:
       Object Server:      Security
       Handle ID:      3220
       Object Type:      File
       Process ID:      832
       Image File Name:      C:\WINNT\system32\svchost.exe
       Accesses:      WriteData (or AddFile)
                  AppendData (or AddSubdirectory or CreatePipeInstance)
                  
       Access Mask:      0x6

-----------------------------------------------------------------------------

Event Type:      Success Audit
Event Source:      Security
Event Category:      Object Access
Event ID:      562
Date:            10/12/2007
Time:            4:22:25 PM
User:            NT AUTHORITY\SYSTEM
Computer:      SW820VOLWQA01
Description:
Handle Closed:
       Object Server:      Security
       Handle ID:      3220
       Process ID:      832
       Image File Name:      C:\WINNT\system32\svchost.exe

-----------------------------------------------------------------------------

Event Type:      Success Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      538
Date:            10/12/2007
Time:            4:22:25 PM
User:            *************
Computer:      SW820VOLWQA01
Description:
User Logoff:
       User Name:      viscftp
       Domain:            VISA
       Logon ID:            (0x0,0x92200)
       Logon Type:      4














0
 
LVL 5

Expert Comment

by:fmonroy
ID: 20069629
Can't see any problem there, they're audit entries. Nothing on the system or application logs?
0
 
LVL 1

Author Comment

by:cheluto2
ID: 20069668
Thanks for looking at it.  No.  The other logs don't have a thing related to this.
0
 
LVL 5

Expert Comment

by:fmonroy
ID: 20069699
Sorry, can't reproduce the problem right now, I will try later at home if you haven't found a way to make it work.
0
 
LVL 1

Accepted Solution

by:
GPomerleau earned 2000 total points
ID: 20125294
if you audit c:\window\system32 for failure on the account you are using, you will notice that you hav e a failure on cmd.exe. So to have a scheduled task to run as non-admin account you need to have your account to :run as a batch service and also have read/execute on cmd.exe.  I did it and it working for me
0
 
LVL 1

Author Comment

by:cheluto2
ID: 20236543
GPomerleau, that solved some of the problem.  The task now runs under that account even if I remove it from the admin group (which is where I had put it because I could not find another solution).  
However, now the task never stops running.  It stops if the user is an admin.  I will research to find out where the problem is now.  But, because you provided with the solution to get it to run, I am giving you the points.  Thank you very much!  And thanks to fmonroy, too, for the time.

0
 
LVL 5

Expert Comment

by:fmonroy
ID: 20238206
You're welcome, I'm so sorry, I completely forgot about this issue. It's good that you are getting a solution.
0
 
LVL 1

Expert Comment

by:GPomerleau
ID: 20247213
If you logged as a non-admin and run  manually that famous job, does it complete succesfully? What are you running in that batch. I suspect it is the command you are trying that required more privileges. Could you put the content of that job?
0
 

Expert Comment

by:ITMystery
ID: 26205265
I have the exact same problem.  All the detailed symptoms you describe are present for me too.  However, granting read & execute to command.com with a restart did not solve my problem and I'm out of ideas.  Is there any other permission to get beyond "Could not start"?
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question