SCHTASKS /Change gives "access denied"

I'm using SCHTASKS to try to change the password for an existing task.  I created the task and can change it by right-clicking on the task itself, but not from the command line using SCHTASKS /CHANGE /RP newpassword /TN "TaskName"

This is different from the SQL question that was already posted.  

I can't do this locally, and should be able to doi it both locally and remotely.  I'm thinking there is broken code.

This is on Windows Server 2003 at SP-2.

Oh, and I've tried using RUNAS to open the CMD prompt, no joy.

Any help will be appreciated, gotta get this working.

Thanks.
BatchMan-1Asked:
Who is Participating?
 
ee_autoConnect With a Mentor Commented:
Question PAQ'd, 50 points refunded, and stored in the solution database.
0
 
B HCommented:
anything useful in your security event logs?

what if instead of /rp password you re-specify the user too with the password such as:

SCHTASKS /Change /u domain\user /p password /TN "TaskName"

and, are you sure you have the taskname correct?
0
 
BatchMan-1Author Commented:
I just tried this on a Windows 2008 platform, and it worked locally on the box, which it wasn't doing on Windows Server 2003.  This enforces the idea that there is broken code.

Thanks for the suggestion, Bryon44035v3, but when you run SchTasks /Change /?, it shows the /RP without /RU, so should not be necessary.

Good idea, The event log shows a 567 ID, but I think that's just an audit for attempting to access the task.  Trying to view details on http://go.microsoft.com/fwlink/events.asp. failed, web site down.
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
B HCommented:
i know you said you tried runas to launch the cmd... but did you do that using domain admin credentials?  even if, i dont know if it would be passed from cmd to schtasks to the network... maybe try running your command using runas for the command itself

runas /user:domain\admin "SCHTASKS /CHANGE /RP newpassword /TN "TaskName""
(and give it the password)
0
 
BatchMan-1Author Commented:
I am a domain admin, and used the same account when I created the task.  

Even when run on the local box, it still says "access denied", but allows me to change the password using the GUI.  That's why I suspect broken code on Windows Server 2003.  It did work on a Windows Server 2008 box, furthering my suspicions of broken code on 2003.

0
 
B HCommented:
well, you could always call into microsoft product support...

if they fix it, it costs you $250
if they confirm it's a bug, it costs you $0
0
 
BatchMan-1Author Commented:
hmmmm, sounds like I'll have to be a gambling man to find out for sure...

Thanks for your input!

0
 
medic459Commented:
I've run into the same issue myself and have not figured out a way to do it (the way it's supposed to).
I've been trying to write a super 'local admin password change' script that also updates any scheduled tasks running under the local admin account.  I can run schtasks /query on the remote server (with the new pass) but schtasks /change always fails. I worked around it using psexec:
psexec \\SERVER -w c:\windows\system32 -u USERNAME -p PASSWORD schtasks /change /tn TASKNAME /rp PASSWORD

So after I change the local admin password on the remote server, I have to pass in that new password to the psexec command (which then runs the shctasks command locally - on the remote server).

Ugly 'fix' but it works.

Personally, I think there is a bug with the schtasks /change command
0
 
Mohamed OsamaSenior IT ConsultantCommented:
I would suggest you take ownership of the tasks through Security>advanced>owner tab , or ensure that the task owner is the same as the login that tries to modify it from command line.
0
 
BatchMan-1Author Commented:
I did have to open an incident with Microsoft, who determined that you need to set the new password in the Active Directory first, then se the password in the task to match it.  If you try this in the GUI, it will not let you change the password unless it matches the AD, so this is an "undocumented feature" to do the same thing.   I have asked them to change the error message from "access denied" to something more helpful, like "doesn't match the password on record".

Closed with my thanks to the forum members.
0
 
Me_in_ictCommented:
Today I learned that you must run the commands from a machine as local administrator.
Not being logged in as domain-admin.
0
All Courses

From novice to tech pro — start learning today.