none
Allow non-admin access to Scheduled Tasks in Windows 2008+

    Question

  • Hi,

    Is it possible in windows 2008 server+ to allow non admin users to manage (i.e. create, edit and run) scheduled tasks in the task scheduler? I am not asking how to run a scheduled task as another user (to avoid any confusion :o).

    In windows 2003 you used to be able to change the permissions on the windows\tasks folder or another severe option was to add the user to the backup operator group, however these no longer seem to work.

    I can find no rights to assign toi the user either that seem to relate to scheduled tasks either.

    Cheers

    Allan

     

    Wednesday, November 30, 2011 10:01 PM

Answers

  • OK, so I havenot found the question I asked, I have found a solution to another related sub issue. Hopefully this will help someone out.

    • How to allow a non admin user to run a scheduled task set to run as another user.

    I have fully documented the process on my blog, if you are interested.

     

    This aside it still would be good if there is some way to assign permissions/rights to allow a non admin user to control scheduled tasks (my original question).

     

    Friday, December 02, 2011 1:27 AM

All replies

  • OK, so I havenot found the question I asked, I have found a solution to another related sub issue. Hopefully this will help someone out.

    • How to allow a non admin user to run a scheduled task set to run as another user.

    I have fully documented the process on my blog, if you are interested.

     

    This aside it still would be good if there is some way to assign permissions/rights to allow a non admin user to control scheduled tasks (my original question).

     

    Friday, December 02, 2011 1:27 AM
  • Hi,

     

    No, non-admin cannot manage scheduled tasks unless run as an administrator.

     

    Thanks for your sharing! I think your blog will help a lot of users who have the same requests.

     

    Regards,


    Arthur Li

    TechNet Community Support

    Friday, December 02, 2011 5:38 AM
    Moderator
  • This aside it still would be good if there is some way to assign permissions/rights to allow a non admin user to control scheduled tasks (my original question).


    You can change the user rights associated with a particular task or group of tasks like any other folder.  Navigate to windows\system32\tasks and change permissions.
    Tuesday, May 01, 2012 9:26 PM
  • Perquisites: This instruction assumes the user(s) you are delegating these perms to are already members of the Local Users and Remote Desktop Users groups either implicit or explicitly. 

    Basically what we are trying to do is give NTFS permissions to the User(s) on the C:\Windows\Tasks folder this is a challenge because there is not a Security Tab on the C:\Windows\Tasks folder

    1. Open a command prompt, Type

    XCOPY C:\WINDOWS\TASKS c:\TASKPERM /s /e /k /o This will copy the tasks folder, in its entirety, including permissions and attributes. This essentially gives you a "mirrored" version of the scheduled tasks at C:\TASKPERM.

    1. Go to Windows Explorer and modify the ACL of C:\TASKPERM to suit your needs. Remember that if the user/group you are assigning permissions to should not be able to modify ALL tasks, it is important to set the "Apply To" attribute to "This folder only." Give the User(s) Modify access to the Scheduled Task you want to Delegate.
    2. Back at the command prompt,  Type

    CACLS C:\TASKPERM /S

    1. Select the SDDL string (the stuff between the quotes) into the clipboard. Since the command prompt does not support line-wrapping text copy, you may have to post a larger string into notepad, and then trim out the stuff on either side of the quotes. You only want the bare SDDL string in the clipboard.

    Type

    CACLS C:\WINDOWS\TASKS /S:<SDDL>

    ...replacing/pasting the <SDDL> part with the SDDL string you put into the clipboard in step 4 -- do not include quotes.

    Test!

    Delete the C:\TASKPERM folder.

    to revert to default your C:\WINDOWS\TASKS folder, the default ACL for Windows Server 2003 is D:P(A;OICIIO;FA;;;CO)(A;;0x1200ab;;;BO)(A;;0x1200ab;;;SO)(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)

    http://blogs.technet.com/b/craigf/archive/2011/03/15/using-delegation-in-scheduled-tasks.aspx<sup></sup>

    http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/0ac9c2ed-d97b-4b8a-8409-730effb05084/<sup></sup>

    http://boardreader.com/thread/Delegate_non_admins_users_to_start_edit_liuv__0ac9c2ed-d97b-4b8a-8409-730effb05084.html<sup></sup>

    Thursday, July 19, 2012 4:40 AM
  • I'm a little behind the eight ball on this question, but I've etched out a Rube Goldberg-esque way to accomplish what you're trying to do.  I'm trying to do it too -- working in an environment with a lot of developers who need access for limited administration tasks like this, without involving a server administrator such as myself.  I've concept-tested this with non-administrator accounts on an actual server with success.  The test workstation was Windows 7 and the target server was Windows 2008 R2.  This solution only works to allow a scheduled task to be launched -- that's it.  It DOES NOT allow a non-administrator to create/modify/delete/stop the task.  They can't even see a status -- they're taking it on faith that the task has run properly.

    1. Create your scheduled task, as normal.
    2. Using the PowerShell New-EventLog cmdlet (or your method of choice), create a new event source in the Application event log.  Call it whatever you want.
    3. In the original scheduled task, create an additional trigger, but set it to trigger when an event from the new source you created in #2 shows up.  Pick whatever ID you'd like to use for the event.  It's entirely arbitrary since you created source in the first place.
    4. Using wevtutil.exe, grant a user/group write permissions to the Application event log (see: http://support.microsoft.com/kb/2028427).
    5. Using the PowerShell Write-EventLog cmdlet (or your method of choice), write an entry in the Application event log, the source being whatever you defined in step #2, and the ID being whatever you picked in step #3.
    6. The task should launch normally as soon as the event shows up.
    7. There will be challenges with things like PoSh syntax or remote PoSh execution rights (if you choose to use PoSh in the first place), but those challenges fall outside of the scope of this solution.  My plan is to do something with PoSh like enumerating all of the scheduled tasks available and giving the user a list of tasks to pick from -- there are many ways to skin a cat.

    This may not be the most elegant solution, and it's a little cumbersome, but it gets the job done.  Heck, you could make it even easier by creating a scheduled task local to the non-administrative user -- instead, the task would launch the Scheduled Tasks MMC with an administrator account which then gives the user the ability to remotely control the Scheduled Tasks.  Either way, the end result is met without elevating the user's rights or doing some sort of psexec or runas solution that requires you to potentially expose a password to someone who shouldn't see it.

    • Proposed as answer by BenMinehart Friday, August 10, 2012 8:20 PM
    Friday, August 10, 2012 7:59 PM
  • A product called System Frontier lets you grant rights to view, start and stop scheduled tasks without giving the user administrator rights. It works for Windows Server 2012, Windows Server 2008 and Windows Server 2003. Everything is centrally managed and easy to configure. You can also allow non-admin users to kill processes, manage Windows services and run custom scripts and command line tools.


    Thursday, December 27, 2012 11:40 PM
  • Hi,

    I had the same need and i've tested your solution BenMineHart !

    You're a god for me ;-)

    Effectively, it's a bit tortuous but it works very well!

    With a litlle script to give them choice on their desktops!

    Now, some of our users doesn't have to call us to launch specific tasks, they can do it themself!

    Benefic for everybody. It hope this need would be take in charge by MS in next versions ...

    Tuesday, August 20, 2013 2:16 PM
  • On the contrary, this is pretty darn elegant and awesome.  Thank you very much, Ben!!!
    Tuesday, January 28, 2014 11:06 PM