neilmccabe
asked on
changing passwords on multiple scheduled tasks
I use the same account for all my scheduled tasks on all my servers. I need to change the password and don't want to have to go to each scheduled task to change the password. Is there a quick and easy way to do this? All my servers are running windows 2003.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Refresh... Sorry.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
adaroc, i'm getting "the system cannot find the batch label specified = ChangePW".
@ neilmccabe... did you run my batch file? it works fine.
---
@echo off
if not [%1]==[] if not [%2]==[] goto :run
echo usage: %0 {username} {password}
echo.
echo Where {username} changes the user name (user context) under which the scheduled task has to run.
echo.
echo Where {password} specifies a new password for the existing user context or the password for a new user account.
echo.
goto :eof
:run
for /f "skip=1 tokens=1 delims=," %%f in ('schtasks /query /fo csv') do (
echo * Located %%f task
echo Executing: schtasks /change /ru %1 /rp %2 /tn %%f
schtasks /change /ru %1 /rp %2 /tn %%f
echo ---
)
---
@echo off
if not [%1]==[] if not [%2]==[] goto :run
echo usage: %0 {username} {password}
echo.
echo Where {username} changes the user name (user context) under which the scheduled task has to run.
echo.
echo Where {password} specifies a new password for the existing user context or the password for a new user account.
echo.
goto :eof
:run
for /f "skip=1 tokens=1 delims=," %%f in ('schtasks /query /fo csv') do (
echo * Located %%f task
echo Executing: schtasks /change /ru %1 /rp %2 /tn %%f
schtasks /change /ru %1 /rp %2 /tn %%f
echo ---
)
ASKER
x66, I did. "Access is Denied". I'm logged in as admin of machine. Also I'm worried that my local admin account with same name will also get changed. Is that so?
hi
oops ..silly me didnt define the label
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ------
@echo off
set Password=5tr0nGp4ssw0rd
cd /d "%SystemRoot%\tasks
for %%a in (*.job) do call :ChangePW %%a
goto :eof
:ChangePW
set TaskName=%*
set TaskName=%TaskName:~0,-4%
SCHTASKS /Change /RP %password% /TN "%TaskName%"
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ------
test it on a a non-production server first off -course
post back results
oops ..silly me didnt define the label
--------------------------
@echo off
set Password=5tr0nGp4ssw0rd
cd /d "%SystemRoot%\tasks
for %%a in (*.job) do call :ChangePW %%a
goto :eof
:ChangePW
set TaskName=%*
set TaskName=%TaskName:~0,-4%
SCHTASKS /Change /RP %password% /TN "%TaskName%"
--------------------------
test it on a a non-production server first off -course
post back results
ASKER
adaroc, your script also says "access is denied". i'm logged in as local admin
hi
are you running the batch file as an administrator ?
as in right click "run as" ?
are you running the batch file as an administrator ?
as in right click "run as" ?
ASKER
same deal. I noticed the "tasks" folder under c:\windows is inheriting the read-only attribute but I can't get windows to let me remove inheritance.
hi,
hmm let me study this a bit more remember using it sucessfully some years ago
will get back
hmm let me study this a bit more remember using it sucessfully some years ago
will get back
@ neilmccabe, Do you get an access denied msg when you run...
schtasks /query /fo csv
schtasks /query /fo csv
ASKER
x66, no I don't. It returns the name of tasks, date, time, etc....
ASKER
Try running my batch file as domain admin... with sanur.
runas /u:%USERDOMAIN%\Administra tor "cmd.exe /k myscript.bat" | sanur PASSWORD
runas /u:%USERDOMAIN%\Administra
ASKER
x66, "sanur is not recognized as an int or ext command..."
Also, are you passing the username parameter as either DOMAIN\USER or MACHINE\USER ?
I.e. fixtasks domain\username password
I.e. fixtasks domain\username password
You'll need to download sanur here... (it was a link on previous post)
http://www.commandline.co.uk/sanur_unsupported/sanur.zip
http://www.commandline.co.uk/sanur_unsupported/sanur.zip
Also, if you try RUNAS you'll need to specify full path to script...
runas /u:%USERDOMAIN%\Administra tor "cmd.exe /k \\server\share\path\fixtas ks.bat domain\username password | sanur PASSWORD"
runas /u:%USERDOMAIN%\Administra
ASKER
x66, I downloaded sanur and got your script to run. It didn't tell me that it was doing anything other than it dropped me to a C prompt. I then re-ran my scheduled task assuming that it would fail since your script its supposed to change the password of the job but the job ran. What am I doing wrong here?
ASKER
x66, I realize now what i'm doing wrong and ran this following: C:\>runas /u:csi\csiadmin "cmd.exe /k c:\test2.bat csi\csiadmin password1" | san
ur password2
it accepted it and opened another command windows and ran the command but I still got an access denied. I still keep seeing the tasks folder as having the read-only attribute on it. Would you agree that that must have something to do with it?
ur password2
it accepted it and opened another command windows and ran the command but I still got an access denied. I still keep seeing the tasks folder as having the read-only attribute on it. Would you agree that that must have something to do with it?
ASKER
x66, if I run c:\test2 csi\csiadmin password1 (where password1 is the real password for the acount) then it says "success: The parameters of scheduled task "blablabla" have been changed." So your script executes but doesn't change the password.
ASKER
x66, i'm getting this narrowed down. I found that by ignoring your script and just going to the scheduled job to change the password i'm getting an access denied. I changed the username and password there and it took it. I then ran your script asking it to change the username and password back so your script definately works. Now to figure out why i'm not allowed to change the password on the task scheduler!
Paste the output of the follow command in your reply...
cacls %windir%\tasks
ASKER
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\csiadmin>cd c:\
C:\>
C:\> cacls %windir%\tasks
C:\WINDOWS\Tasks CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Backup Operators:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_READ_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
<Account Domain not found>(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_READ_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
BUILTIN\Administrators:(OI )(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
C:\>
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\csiadmin>cd c:\
C:\>
C:\> cacls %windir%\tasks
C:\WINDOWS\Tasks CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Backup Operators:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_READ_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
<Account Domain not found>(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_READ_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
BUILTIN\Administrators:(OI
NT AUTHORITY\SYSTEM:(OI)(CI)F
C:\>
Any error(s) running the following prior to my script?
takeown /f %windir%\tasks /r
ASKER
no errors - only successes
C:\>takeown /f %windir%\tasks /r
SUCCESS: The file (or folder): "C:\WINDOWS\tasks" now owned by user "CSI\csiadmi
n".
SUCCESS: The file (or folder): "C:\WINDOWS\tasks\desktop. ini" now owned by user
"CSI\csiadmin".
SUCCESS: The file (or folder): "C:\WINDOWS\tasks\SA.DAT" now owned by user "CSI\
csiadmin".
SUCCESS: The file (or folder): "C:\WINDOWS\tasks\SchedLgU .Txt" now owned by user
"CSI\csiadmin".
SUCCESS: The file (or folder): "C:\WINDOWS\tasks\websense dailybacku p.job" now ow
ned by user "CSI\csiadmin".
C:\>
C:\>takeown /f %windir%\tasks /r
SUCCESS: The file (or folder): "C:\WINDOWS\tasks" now owned by user "CSI\csiadmi
n".
SUCCESS: The file (or folder): "C:\WINDOWS\tasks\desktop.
"CSI\csiadmin".
SUCCESS: The file (or folder): "C:\WINDOWS\tasks\SA.DAT" now owned by user "CSI\
csiadmin".
SUCCESS: The file (or folder): "C:\WINDOWS\tasks\SchedLgU
"CSI\csiadmin".
SUCCESS: The file (or folder): "C:\WINDOWS\tasks\websense
ned by user "CSI\csiadmin".
C:\>
Paste the output of the following commands...
whoami /all
takeown /f %windir%\tasks /r
After you've taken ownership does my script run successfully? (scratch pasting output of the takeown command again from previous post)
ASKER
is that necessary? I'm logged in as domain admin. I should never be seeing access denied.
ASKER
x66, I already had ownership but just for the heck of it I retook ownership and still get access denied running your script. I'm logged in as domain admin. The only time I don't get access denied is when the username of the task is something else and telling your script to change it back to csi\csiadmin works. Its successful. But then if I run your script again to leave the csi\csiadmin as the username but change the password, I get access denied again. Its like it lets me change usernames but not passwords.
In the past I've encountered ghost ACLs which prevented access to a resource. In your case it shows which could imply a similar situation. Okay, let's try a couple other things and paste the output of the last command if you don't mind. Also, after running the commands manually let me know if you are still seeing access denied errors when running the script or manually modifying the task.
attrib -r -h -r -s %windir%\tasks\*.job
cacls %windir%\Tasks\*.job /e /g %userdomain%\%username%:F
cacls %windir%\Tasks\*.job
ASKER
invalid switch -r on first command
ASKER
I took out the second R and it worked. No other errors. Here is output of last command:
C:\>cacls %windir%\Tasks\*.job
C:\WINDOWS\Tasks\websensed ailybackup .job BUILTIN\Administrators:F
CSI\csiadmin:F
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
C:\>cacls %windir%\Tasks\*.job
C:\WINDOWS\Tasks\websensed
CSI\csiadmin:F
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
Ok, I get access denied myself when the password specified is incorrect. It appears it's automatically checking to ensure it's valid before making the change.
schtasks /change /RU gooduser /RP badpassword /tn "At1"
ERROR: Access is denied.
schtasks /change /RU gooduser /RP goodpassword /tn "At1"
SUCCESS: The parameters of scheduled task "At1" have been changed.
schtasks /change /RU gooduser /RP badpassword /tn "At1"
ERROR: Access is denied.
schtasks /change /RU gooduser /RP goodpassword /tn "At1"
SUCCESS: The parameters of scheduled task "At1" have been changed.
ASKER
still access denied
Does your password happen to have a quote or other MS-DOS "reserved" character in it? i.e. ? < > * | " $
ASKER
I have a $ in it. Special chars are requirred by group policy.
ASKER
x66, I think the issue here is that your script works but that i'm unable to change the password on any of my scheduled tasks throught my domain. I believe you have resolved the issue in terms of the scope of my original question. I consider this issue resolved in that matter. Thanks!
ASKER
The scripts work. The issue of me not being able to change my scheduled task passwords is a seperate issue. I gave some points to adaroc as he also came up with pretty much the same script at the same time but x66 did work on the issue more for me. Thanks everybody for responding.
Use that app to make your password change. Then use this
schtasks /change /S computername /tn NSNT /RP newpassword
Except, your VBscript will need to loop through your COMPUTERNAMEs (change it to a variable and put it within a FOR WHILE statement.
Or, use Excel to create a list of X rows with that, changing COMPUTERNAME as needed, then save it as a batch file.
Either way, it is doable,
Justin