SCHTASKS /Change gives "access denied"

I'm using SCHTASKS to try to change the password for an existing task.  I created the task and can change it by right-clicking on the task itself, but not from the command line using SCHTASKS /CHANGE /RP newpassword /TN "TaskName"

This is different from the SQL question that was already posted.  

I can't do this locally, and should be able to doi it both locally and remotely.  I'm thinking there is broken code.

This is on Windows Server 2003 at SP-2.

Oh, and I've tried using RUNAS to open the CMD prompt, no joy.

Any help will be appreciated, gotta get this working.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

B HCommented:
anything useful in your security event logs?

what if instead of /rp password you re-specify the user too with the password such as:

SCHTASKS /Change /u domain\user /p password /TN "TaskName"

and, are you sure you have the taskname correct?
BatchMan-1Author Commented:
I just tried this on a Windows 2008 platform, and it worked locally on the box, which it wasn't doing on Windows Server 2003.  This enforces the idea that there is broken code.

Thanks for the suggestion, Bryon44035v3, but when you run SchTasks /Change /?, it shows the /RP without /RU, so should not be necessary.

Good idea, The event log shows a 567 ID, but I think that's just an audit for attempting to access the task.  Trying to view details on failed, web site down.
B HCommented:
i know you said you tried runas to launch the cmd... but did you do that using domain admin credentials?  even if, i dont know if it would be passed from cmd to schtasks to the network... maybe try running your command using runas for the command itself

runas /user:domain\admin "SCHTASKS /CHANGE /RP newpassword /TN "TaskName""
(and give it the password)
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

BatchMan-1Author Commented:
I am a domain admin, and used the same account when I created the task.  

Even when run on the local box, it still says "access denied", but allows me to change the password using the GUI.  That's why I suspect broken code on Windows Server 2003.  It did work on a Windows Server 2008 box, furthering my suspicions of broken code on 2003.

B HCommented:
well, you could always call into microsoft product support...

if they fix it, it costs you $250
if they confirm it's a bug, it costs you $0
BatchMan-1Author Commented:
hmmmm, sounds like I'll have to be a gambling man to find out for sure...

Thanks for your input!

I've run into the same issue myself and have not figured out a way to do it (the way it's supposed to).
I've been trying to write a super 'local admin password change' script that also updates any scheduled tasks running under the local admin account.  I can run schtasks /query on the remote server (with the new pass) but schtasks /change always fails. I worked around it using psexec:
psexec \\SERVER -w c:\windows\system32 -u USERNAME -p PASSWORD schtasks /change /tn TASKNAME /rp PASSWORD

So after I change the local admin password on the remote server, I have to pass in that new password to the psexec command (which then runs the shctasks command locally - on the remote server).

Ugly 'fix' but it works.

Personally, I think there is a bug with the schtasks /change command
Mohamed OsamaSenior IT ConsultantCommented:
I would suggest you take ownership of the tasks through Security>advanced>owner tab , or ensure that the task owner is the same as the login that tries to modify it from command line.
BatchMan-1Author Commented:
I did have to open an incident with Microsoft, who determined that you need to set the new password in the Active Directory first, then se the password in the task to match it.  If you try this in the GUI, it will not let you change the password unless it matches the AD, so this is an "undocumented feature" to do the same thing.   I have asked them to change the error message from "access denied" to something more helpful, like "doesn't match the password on record".

Closed with my thanks to the forum members.
Question PAQ'd, 50 points refunded, and stored in the solution database.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Today I learned that you must run the commands from a machine as local administrator.
Not being logged in as domain-admin.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.