none
Prohibit Scheduled Task Creation

    Question

  • Anyone out there who is able to prohibit users of a server 2008 r2 terminal server to create new taks?

    I have tried to use the GPO Administrative Templates - Windows Components - Task Scheduler - Prohibit New Task Creation, but it has no effect. I tried it under the computer settings as well as under the user settings. I see the registry values are being made:

    HKLM(or HKCU) \Software\Policies\Microsoft\Windows\Task Scheduler5.0\Task Creation (DWORD: 1)

    My users are still able to make new tasks. Probably it doesn't work because in the requirements information it says Server 2003, XP and Windows 2000 OS only.

    Is there a way to prohibit the creation of tasks by non-admins on a 2008 r2 server?

    Wednesday, April 29, 2015 1:28 PM

Answers

All replies

  • Hi,

    >>Is there a way to prohibit the creation of tasks by non-admins on a 2008 r2 server?

    We can try to use the following policy setting to edit the NTFS permissions of the folder C:\Windows\System32\Tasks:

    computer configuration/windows settings/security settings/file system

    Regarding this point, the following thread can be referred to for more information.

    Prevent adding tasks to task scheduler

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/574cc02a-44cf-40dc-b48f-6366d1251e13/prevent-adding-tasks-to-task-scheduler?forum=winserverTS

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by WUR-DE Monday, May 4, 2015 9:44 AM
    Friday, May 1, 2015 1:34 AM
    Moderator
  • Thanks Frank!

    Apparently my googling skills were failing me. I am glad you have pointed me in the right direction.

    I didn't use GPO in the end but I'm using the following icacls action in my startup script.

    %SystemRoot%\System32\icacls.exe %SystemRoot%\System32\Tasks\ /grant:r *S-1-5-11:(CI)(Rc)

    The rights for Authenticated Users used to be: (CI)(W,Rc)

    Kind regards

    Danny Quak

    Monday, May 4, 2015 9:44 AM