locked
Are UAC and schtasks utterly incompatible? RRS feed

  • Question

  • Background:

    Two Vista Ultimate computers on the same "MSHOME" network/workgroup:
       VELOCITY has UAC disabled
       SONYLAP has UAC enabled

       Both have the same administrator account name and password.
       Both have firewall settings to allow schtasks remotely.
       Both below are results from running from that same admin account on both machines.

    1) VELOCITY, from an elevated command prompt runs:
       C:\> schtasks /QUERY /S SONYLAP

       This fails with "Access Is Denied"

    2) SONYLAP, from an elevated command prompt runs:
       C:\> schtasks /QUERY /S VELOCITY

       This succeeds, with a listing of all scheduled tasks on VELOCITY

    If I disable UAC on SONYLAP, and reboot it, then example #1 starts working,
    and example #2 continues to work.

    A /query would seem the simplest, safest, least restrictive thing I could
    try to do, yet it seems there is just no way to make it work with UAC turned
    on for the remote computer(s).  Can this be true?  Is the only scenario where
    schtasks can work on vista one where the administrator has UAC turned on,
    and EVERYONE ELSE has to have it turned off in order to use schtasks on the
    remote Vista machines?

    I've seen questions with more elaborate scenarios posted on other boards, but
    with no direct answer to this seemingly fundamental question: Is it "either/or,
    but never both" when it comes to schtasks and UAC on Vista?

    Any help appreciated, TIA,

    WH1957

    P.S.  This also posted in Vista Network forum.  I will cross-post any useful answers here
    to there.
    Tuesday, April 22, 2008 2:28 AM

Answers

  • The below suggestion to my cross-posted question in the Networks forum resolved this issue; copied
    here as an FYI for any who are interested:

     Joson Zhou - MSFT wrote:

    Hi,

     

    Please disable the Remote UAC on the SONYLAP machine to check the result:

     

    1.    Click Start, type regedit in the Start Search box, and then click regedit.exe in the Programs list.

    2.    Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

    3.    On the Edit menu, point to New, and then click DWORD Value.

    4.    Type LocalAccountTokenFilterPolicy for the name of the DWORD, and then press ENTER.

    5.    Right-click LocalAccountTokenFilterPolicy, and then click Modify.

    6.    In the Value data box, type 1, and then click OK.

    7.    Exit Registry Editor.

     

    For more information about Remote UAC, please refer to the following website:

     

    http://msdn2.microsoft.com/en-us/library/aa826699.aspx

     

    Hope it helps.

     


    Thursday, April 24, 2008 7:45 AM
  •  

    Before we go further, I would like to inform you that if you have UAC enabled, we need to right click on "cmd" and choose "Run as Administrator", otherwise, we may encounter error "Access is denied". Therefore, please first check if the error no longer appears after we choose "Run as Administrator" on "cmd".

    Thursday, April 24, 2008 3:21 AM
    Moderator

All replies

  •  

    Before we go further, I would like to inform you that if you have UAC enabled, we need to right click on "cmd" and choose "Run as Administrator", otherwise, we may encounter error "Access is denied". Therefore, please first check if the error no longer appears after we choose "Run as Administrator" on "cmd".

    Thursday, April 24, 2008 3:21 AM
    Moderator
  • Hi Sean,  

       Thanks for your reply amd suggestion.

       The error still appears.

       Both of the original tests were run using elevated command prompts; although, the method of elevation
       was slightly different than your suggestion -- shortcuts configured to always run elevated. 

       I.e., the window pane's title always shows: "Administrator: C:\Windows\System32\cmd.exe."

       Nevertheless, as you suggested, I navigated to the C:\Windows\system32 directory, and literally opened
       cmd.exe as you suggested, using the "Run As Administrator" menu option, but with no difference in the
       results; both machines are now configured with UAC enabled, so I get an "Access Is Denied" in both
       directions, just as I have unfortunately come to expect.

       Any other thoughts or suggestions are appreciated.

    Thanks,

    wh1957
    Thursday, April 24, 2008 7:04 AM
  • The below suggestion to my cross-posted question in the Networks forum resolved this issue; copied
    here as an FYI for any who are interested:

     Joson Zhou - MSFT wrote:

    Hi,

     

    Please disable the Remote UAC on the SONYLAP machine to check the result:

     

    1.    Click Start, type regedit in the Start Search box, and then click regedit.exe in the Programs list.

    2.    Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

    3.    On the Edit menu, point to New, and then click DWORD Value.

    4.    Type LocalAccountTokenFilterPolicy for the name of the DWORD, and then press ENTER.

    5.    Right-click LocalAccountTokenFilterPolicy, and then click Modify.

    6.    In the Value data box, type 1, and then click OK.

    7.    Exit Registry Editor.

     

    For more information about Remote UAC, please refer to the following website:

     

    http://msdn2.microsoft.com/en-us/library/aa826699.aspx

     

    Hope it helps.

     


    Thursday, April 24, 2008 7:45 AM