none
S4U Logon Type with different account : Access Denied.

    Question

  • Hi,

    I am writing a powershell script that registers a scheduled task with a Service Account (Not with my cred).

    I want to run the task even when the user is not logged on and want to check the Don't Store password checkbox.

    To get there, I have created a principal object with Service account as user and LogonType: S4U.

    When I tried tro run Register-ScheduledTask @args, then it throws access denied. THis is because I didn't authenticate the service account. How to provide password to get the service account authenticated.

    $TaskName = "Test"
    $Interval = (New-TimeSpan -Minutes 5)
    $command = "$PSScriptRoot\test.ps1"
    $user = "user"
    $action = New-ScheduledTaskAction -Execute PowerShell.exe -Argument "-NoProfile -NonInteractive -WindowStyle Hidden -Command $command"
    $trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval $Interval
    $S = New-ScheduledTaskSettingsSet -ExecutionTimeLimit (New-TimeSpan -Hours 1) -Compatibility Win8
    $P = New-ScheduledTaskPrincipal -UserId $user -LogonType S4U -RunLevel Highest
    $D = New-ScheduledTask -Action $action -Trigger $trigger -Principal $P -Settings $S
    $arg = @{
        "TaskName" = $TaskName
        "Action" = $action
        "Trigger" = $trigger
        #"User" = $user
        "Principal" = $P
    }

    #Get-Credential | Export-Clixml -Path "$PSScriptRoot\pwd.xml"
    Unregister-ScheduledTask $TaskName
    Register-ScheduledTask @arg

    Register-ScheduledTask : Access is denied.
    At line:23 char:1
    + Register-ScheduledTask @arg
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : PermissionDenied: (PS_ScheduledTask:Root/Microsoft/...S_ScheduledTask) [Register-ScheduledTask
       ], CimException
        + FullyQualifiedErrorId : HRESULT 0x80070005,Register-ScheduledTask


    Komal.

    Tuesday, October 03, 2017 1:33 PM

All replies

  • You need to be elevated.

    Here is how to code this:

    $command = "$PsScriptRoot\test.ps1"
    $user = 'domain\userid'
    $splat = @{
    	TaskName    = 'Test'
    	Action	    = New-ScheduledTaskAction -Execute PowerShell.exe -Argument "-NoProfile -NonInteractive -WindowStyle Hidden -File $command"
    	Trigger	    = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval 00:05:00
    	Principal      = New-ScheduledTaskPrincipal -UserId $user -RunLevel Highest #-LogonType S4U
    }
    Unregister-ScheduledTask -Confirm:$false -ErrorAction SilentlyContinue
    Register-ScheduledTask @splat


    \_(ツ)_/






    Tuesday, October 03, 2017 2:05 PM
    Moderator
  • With elevated permissions, I am seeing the Access Denied error. (LogonTYpe: S4U). 


    Komal.

    Tuesday, October 03, 2017 2:22 PM
  • Hello Komal,

    To run schedule task, User account should have below permission in security policy ( secpol.msc ). Please do check whether S4U account have below permissions.

    Logon as a batch job
    Logon as a service


    ----------
    Branav
    Tuesday, October 03, 2017 2:34 PM
  • Yes, the account is in the admin list. And  administrators are having Logon as a batch job/Service.

    Even with this, the access is denied.


    Komal.

    Tuesday, October 03, 2017 2:42 PM
  • Hi Komal,

    Which service account did you use?

    I use the network service account for testing and the script works fine, the following figure for your reference:


    If you need further help, please feel free to let us know.

    Best Regards,
    Albert Ling

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 04, 2017 7:38 AM
  • Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,
    Albert Ling

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 09, 2017 10:00 AM
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.
    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
    If no, please reply and tell us the current situation in order to provide further help.

    Appreciate for your feedback.

    Best Regards,
    Albert Ling

    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 12, 2017 6:19 AM
  • Thanks Albert, your answer helped me to set the -LogonType the way wanted. 

    Just to be more specific, we don't need to set the -RunLevel to "Highest" even the "Limited" option works. The default option for -RunLevel is "none".  It looks like when -LogonType is specified a valid option for -RunLevel is required. the statements below worked just fine.

    $principal = New-ScheduledTaskPrincipal -UserId $userName -LogonType S4U -RunLevel Limited;
    Register-ScheduledTask -Action $action -Trigger $trigger -Principal $principal -Settings $settings -TaskName Test; 


    • Proposed as answer by Pradeep86 Thursday, June 14, 2018 3:48 PM
    Thursday, June 14, 2018 3:47 PM