Start Free Trial

asked on

changing passwords on multiple scheduled tasks

I use the same account for all my scheduled tasks on all my servers. I need to change the password and don't want to have to go to each scheduled task to change the password. Is there a quick and easy way to do this? All my servers are running windows 2003.

ASKER CERTIFIED SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

http://technet.microsoft.com/en-us/library/bb490996.aspx

Use that app to make your password change. Then use this

schtasks /change /S computername /tn NSNT /RP newpassword

Except, your VBscript will need to loop through your COMPUTERNAMEs (change it to a variable and put it within a FOR WHILE statement.

Or, use Excel to create a list of X rows with that, changing COMPUTERNAME as needed, then save it as a batch file.

Either way, it is doable,

Justin

Refresh... Sorry.

SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

adaroc, i'm getting "the system cannot find the batch label specified = ChangePW".

@ neilmccabe... did you run my batch file? it works fine.

---
@echo off
if not [%1]==[] if not [%2]==[] goto :run
echo usage: %0 {username} {password}
echo.
echo Where {username} changes the user name (user context) under which the scheduled task has to run.
echo.
echo Where {password} specifies a new password for the existing user context or the password for a new user account.
echo.
goto :eof
:run
for /f "skip=1 tokens=1 delims=," %%f in ('schtasks /query /fo csv') do (
      echo * Located %%f task
      echo Executing: schtasks /change /ru %1 /rp %2 /tn %%f
      schtasks /change /ru %1 /rp %2 /tn %%f
      echo ---
)

ASKER

x66, I did. "Access is Denied". I'm logged in as admin of machine. Also I'm worried that my local admin account with same name will also get changed. Is that so?

hi

oops ..silly me didnt define the label

------------------------------------------------------------------------------------------------------
@echo off
set Password=5tr0nGp4ssw0rd
cd /d "%SystemRoot%\tasks
for %%a in (*.job) do call :ChangePW %%a
goto :eof

:ChangePW
set TaskName=%*
set TaskName=%TaskName:~0,-4%
SCHTASKS /Change /RP %password% /TN "%TaskName%"

------------------------------------------------------------------------------------------------------

test it on a a non-production server first off -course

post back results

ASKER

adaroc, your script also says "access is denied". i'm logged in as local admin

hi

are you running the batch file as an administrator ?

as in right click "run as" ?

ASKER

same deal. I noticed the "tasks" folder under c:\windows is inheriting the read-only attribute but I can't get windows to let me remove inheritance.

hi,

hmm let me study this a bit more remember using it sucessfully some years ago

will get back

@ neilmccabe, Do you get an access denied msg when you run...

schtasks /query /fo csv

ASKER

x66, no I don't. It returns the name of tasks, date, time, etc....

ASKER

i'm reading up on http://www.avianwaves.com/Blog/default.aspx?id=83&t=Easy-Way-to-Change-Permissions-on-the-Wi

Try running my batch file as domain admin... with sanur.

runas /u:%USERDOMAIN%\Administrator "cmd.exe /k myscript.bat" | sanur PASSWORD

ASKER

x66, "sanur is not recognized as an int or ext command..."

Also, are you passing the username parameter as either DOMAIN\USER or MACHINE\USER ?

I.e. fixtasks domain\username password

You'll need to download sanur here... (it was a link on previous post)

http://www.commandline.co.uk/sanur_unsupported/sanur.zip

Also, if you try RUNAS you'll need to specify full path to script...

runas /u:%USERDOMAIN%\Administrator "cmd.exe /k \\server\share\path\fixtasks.bat domain\username password | sanur PASSWORD"

ASKER

x66, I downloaded sanur and got your script to run. It didn't tell me that it was doing anything other than it dropped me to a C prompt. I then re-ran my scheduled task assuming that it would fail since your script its supposed to change the password of the job but the job ran. What am I doing wrong here?

ASKER

x66, I realize now what i'm doing wrong and ran this following: C:\>runas /u:csi\csiadmin "cmd.exe /k c:\test2.bat csi\csiadmin password1" | san
ur password2
it accepted it and opened another command windows and ran the command but I still got an access denied. I still keep seeing the tasks folder as having the read-only attribute on it. Would you agree that that must have something to do with it?

ASKER

x66, if I run c:\test2 csi\csiadmin password1 (where password1 is the real password for the acount) then it says "success: The parameters of scheduled task "blablabla" have been changed." So your script executes but doesn't change the password.

ASKER

x66, i'm getting this narrowed down. I found that by ignoring your script and just going to the scheduled job to change the password i'm getting an access denied. I changed the username and password there and it took it. I then ran your script asking it to change the username and password back so your script definately works. Now to figure out why i'm not allowed to change the password on the task scheduler!

Paste the output of the follow command in your reply...

cacls %windir%\tasks

Open in new window

ASKER

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\csiadmin>cd c:\

C:\>
C:\> cacls %windir%\tasks
C:\WINDOWS\Tasks CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Backup Operators:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_READ_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES

<Account Domain not found>(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_EXECUTE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_READ_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES

BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F

C:\>

Any error(s) running the following prior to my script?

takeown /f %windir%\tasks /r

Open in new window

ASKER

no errors - only successes

C:\>takeown /f %windir%\tasks /r

SUCCESS: The file (or folder): "C:\WINDOWS\tasks" now owned by user "CSI\csiadmi
n".

SUCCESS: The file (or folder): "C:\WINDOWS\tasks\desktop.ini" now owned by user
"CSI\csiadmin".

SUCCESS: The file (or folder): "C:\WINDOWS\tasks\SA.DAT" now owned by user "CSI\
csiadmin".

SUCCESS: The file (or folder): "C:\WINDOWS\tasks\SchedLgU.Txt" now owned by user
"CSI\csiadmin".

SUCCESS: The file (or folder): "C:\WINDOWS\tasks\websensedailybackup.job" now ow
ned by user "CSI\csiadmin".

C:\>

Paste the output of the following commands...

whoami /all
takeown /f %windir%\tasks /r

Open in new window

After you've taken ownership does my script run successfully? (scratch pasting output of the takeown command again from previous post)

ASKER

is that necessary? I'm logged in as domain admin. I should never be seeing access denied.

ASKER

x66, I already had ownership but just for the heck of it I retook ownership and still get access denied running your script. I'm logged in as domain admin. The only time I don't get access denied is when the username of the task is something else and telling your script to change it back to csi\csiadmin works. Its successful. But then if I run your script again to leave the csi\csiadmin as the username but change the password, I get access denied again. Its like it lets me change usernames but not passwords.

In the past I've encountered ghost ACLs which prevented access to a resource. In your case it shows which could imply a similar situation. Okay, let's try a couple other things and paste the output of the last command if you don't mind. Also, after running the commands manually let me know if you are still seeing access denied errors when running the script or manually modifying the task.

attrib -r -h -r -s %windir%\tasks\*.job
cacls %windir%\Tasks\*.job /e /g %userdomain%\%username%:F
cacls %windir%\Tasks\*.job

Open in new window

ASKER

invalid switch -r on first command

ASKER

I took out the second R and it worked. No other errors. Here is output of last command:

C:\>cacls %windir%\Tasks\*.job
C:\WINDOWS\Tasks\websensedailybackup.job BUILTIN\Administrators:F
CSI\csiadmin:F
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F

Ok, I get access denied myself when the password specified is incorrect. It appears it's automatically checking to ensure it's valid before making the change.

schtasks /change /RU gooduser /RP badpassword /tn "At1"
ERROR: Access is denied.

schtasks /change /RU gooduser /RP goodpassword /tn "At1"
SUCCESS: The parameters of scheduled task "At1" have been changed.

ASKER

still access denied

Does your password happen to have a quote or other MS-DOS "reserved" character in it? i.e. ? < > * | " $

ASKER

I have a $ in it. Special chars are requirred by group policy.

ASKER

x66, I think the issue here is that your script works but that i'm unable to change the password on any of my scheduled tasks throught my domain. I believe you have resolved the issue in terms of the scope of my original question. I consider this issue resolved in that matter. Thanks!

ASKER

The scripts work. The issue of me not being able to change my scheduled task passwords is a seperate issue. I gave some points to adaroc as he also came up with pretty much the same script at the same time but x66 did work on the issue more for me. Thanks everybody for responding.