Solved

How do I get Windows 7 program elevation to work in Task Scheduler?

Posted on 2010-08-25
15
2,123 Views
Last Modified: 2012-05-10
We have a network program that requires an admin account to run. We've used Task Scheduler to create a task with elevated credentials to run on a standard user account. We get the following error after we've entered the admin account information just as the task is about to be created:
"Task scheduler cannot create the task.  The user account is unknown, the password is incorrect, or the user does not have permission to create this task."

We can create the task if we start Task Scheduler as an admin, but that doesn't work for the users as they get an "ERROR: Access is denied." message when executing the task.

The network program works fine if the PC is logged in as an admin account.

Other than terminating UAC, do we have any options?
0
Comment
Question by:Caprica
  • 6
  • 5
  • 3
  • +1
15 Comments
 
LVL 6

Expert Comment

by:zkrieger
ID: 33527198
after you create the task, right click and open its properties page. on the bottom is a check box for "run with highest privileges"

if you want a task that anyone can run, set the user account to "system" and also check the run with highest privileges box.
0
 

Author Comment

by:Caprica
ID: 33527281
I can create a task as a regular user without elevated privileges. When I check "run with highest privileges" I get a prompt to enter the admin user and password, immediately after this is entered the same error is reported:

"Task scheduler cannot create the task.  The user account is unknown, the password is incorrect, or the user does not have permission to create this task."
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 33527307
Are you using Windows 7 Pro? (I think you should be). And does your computer have a proper password on the userid?   Don't forget that in stock Windows 7, the administrators account is disabled, so do not use it. Do not enable it.  Use instead the first account created when you installed Windows 7. That will be a member of the administrators group. You need one such account. ... Thinkpads_User
0
 

Author Comment

by:Caprica
ID: 33527312
This is Windows 7 Enterprise and it's a domain user account and a domain administrator account we're using. I'm beginning to wonder if task elevation is only for the local machine and not for network programs across a domain.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 33527330
Thanks for the update on the Windows version. First make sure there is a local administrator account on the computer (but not "administrator"). Then see if that works for Task Scheduler. That is how I see it working in the articles that present it.

Another possibility is to look at UAC Trust Shortcut at http://www.itknowledge24.com/ . This works, but seems to need a service running and also I do not know how it works on a domain. I am trying it out currently and have not explored all the ramifications. ... Thinkpads_User
0
 
LVL 6

Expert Comment

by:zkrieger
ID: 33527351
recall that any domain account thats going to be used that way will require the login as a service right.
if you dont want to deal with that, run as the SYSTEM user. there is no password for that account.

it sounds more as if your domain admin is not being added to the local admins group via policy.
0
 

Expert Comment

by:trimeche_hafedh
ID: 33527385
Deactivate UAC
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 90

Expert Comment

by:John Hurst
ID: 33527386
If it is a user machine, UAC should NOT be de-activated.   ... Thinkpads_User
0
 

Author Comment

by:Caprica
ID: 33527638
Thank you for all your suggestions. I will have another look at the system in the morning, it's at the office. This machine is a trial for the deployment of Windows 7 in our firm and turning off UAC would be against our policies. Unfortunately, we have older programs that need to be supported so we need to go through this process.
0
 

Author Comment

by:Caprica
ID: 33536929
I've tried some of your suggestions and the problem lies with the domain user account's inability to create a task to " Run with highest privileges". The task can be created if logged in as a domain admin, but then the user can't see the task to execute it.

Is there an AD policy that gives an account permission to create and run elevated tasks?
0
 
LVL 6

Expert Comment

by:zkrieger
ID: 33538065
hmm if its possible i believe it will have side affects you dont want, such as the user having at least local admin rights. im by no means an authority on the some 20,000? possible group policy options so maybe someone else can help you there.

if you just need something people can "run" at need, i would look at something scripted that stores the hashed elevated password.

http://mcpmag.com/articles/2005/09/19/the-invisible-administrator.aspx
might help you with that.
0
 

Author Comment

by:Caprica
ID: 33591778
Thanks for the suggestion but I don't want to use a third party tool to mess around with our passwords. Surely there's a way for Windows 7 to allow a regular user to run an elevated task - otherwise what's the point of elevating the task?
0
 
LVL 90

Accepted Solution

by:
John Hurst earned 500 total points
ID: 33592245
Use the UAC shortcut tool to create a shortcut on the desktop. You can do it, then user can run the task by double clicking the shortcut. The downside (which will be fixed according to the author) is that the shortcut service needs to run and it require a click to allow it. This is a bit of an annoyance, but will allow shortcuts to run.

... Thinkpads_User
0
 

Author Closing Comment

by:Caprica
ID: 33696166
I was hoping for a native Win7 solution, but this will do the job for now.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 33696292
Thank you. I, too, am waiting for a native Windows 7 solution. ... Thinkpads_User
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Image capture and Deploy method is consist on two phases. In our first phase we capture the image of windows from the PC in which Windows and others softwares are already installed. In second phase we deploy the created image on new PC in which we…
I hope this helps those who have been battling the SanDisk / U3 problem for a while. For anyone that is running Windows 7 64bit and is receiving and searching the internet for the “Windows Error: Windows has allocated a drive letter to the U3 dri…
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now