Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, July 18, 2014 8:49 AM
I hope someone can help.
I am using Windows Server 2012 R2 with PowerShell 4.0.
What I am trying to do is use PowerShell to create a Scheduled Task that has "Do not store password. This task will only have access to local computer resources" enabled.
I can create the task without issue - but I cannot enable this setting.
I believe I need to use the "New-ScheduledTaskPrincipal" cmdlet to set LogonType to "S4U".
I've tried the following script...
$passwordString = "mypassword"
$ComputerDomain = (Get-WmiObject -Class Win32_ComputerSystem).Domain
$A = New-ScheduledTaskAction -Execute "C:\Batch\MyScript.cmd"
$T = New-JobTrigger -Once -At "00:00" -RepetitionInterval (New-TimeSpan -Minutes 15) -RepeatIndefinitely
$S = New-ScheduledTaskSettingsSet -ExecutionTimeLimit (New-TimeSpan -Hours 1) -Compatibility Win8
$U = $ComputerDomain + "\schedulersvc"
$P = New-ScheduledTaskPrincipal -UserId $U -LogonType "S4U" -Id Author
$D = New-ScheduledTask -Action $A -Trigger $T -Settings $S -Principal $P
$Task = Register-ScheduledTask -TaskName "SSHConfig - TEST" -InputObject $D
However, the "Register-ScheduledTask" cmdlet fails with an error that says "Register-ScheduledTask : Access is denied".
I have no idea why...I can create the task manually - so I know I have permission to do it.
Anyone got any idea how to do this?
Kind regards,
Lee
All replies (9)
Friday, July 18, 2014 9:45 AM
for some reason I couln'd reproduce this issue
$passwordString = "mypassword"
$ComputerDomain = (Get-WmiObject -Class Win32_ComputerSystem).Domain
$A = New-ScheduledTaskAction -Execute "C:\Batch\MyScript.cmd"
$T = New-JobTrigger -Once -At "00:00" -RepetitionInterval (New-TimeSpan -Minutes 15) -RepeatIndefinitely
$S = New-ScheduledTaskSettingsSet -ExecutionTimeLimit (New-TimeSpan -Hours 1) -Compatibility Win8
$U = $ComputerDomain + "\ChenV"
$P = New-ScheduledTaskPrincipal -UserId $U -LogonType "S4U" -Id Author
$D = New-ScheduledTask -Action $A -Trigger $T -Settings $S -Principal $P
$Task = Register-ScheduledTask -TaskName "SSHConfig - TEST" -InputObject $D
Do Not Store Password was checked. I tried with my Admin account ChenV.
Win 2012, WMF 4.0 - successfull
Policy:
Network Access: Do not allow storage of passwords and credentials for network authentication
is in Disabled state.
Regards Chen V [MCTS SharePoint 2010]
Friday, July 18, 2014 11:37 AM
In light of a private reply from ChenV (thanks ChenV) I have discovered some more information.
"IF" I logon to my server as "MYDOMAIN\schedulersvc" and execute the above code then it works perfectly.
BUT...if I logon to my server as "MYDOMAIN\anotheruser" and execute the above code then I get the error I reported above.
Any ideas how I can modify my code so that 'anyone' (with Domain Admin permissions) can create the above Scheduled Task?
Kind regards,
Lee
Friday, July 18, 2014 11:54 AM
Does the account you're trying to use have the 'Logon as Batch" user right on the server?
[string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
Friday, July 18, 2014 12:10 PM
Lee Wilmott, thats correct.
You can refer this post too
http://social.technet.microsoft.com/Forums/windowsserver/en-US/760ee186-8074-40a5-95b0-35d17c2bdfab/log-on-as-batch-job-right
Regards Chen V [MCTS SharePoint 2010]
Monday, July 21, 2014 7:51 AM
Hi Lee,
I’m writing to just check in to see if the suggestions were helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up.
If you have any feedback on our support, please click here.
Best Regards,
Anna Wang
TechNet Community Support
Monday, July 21, 2014 8:33 AM
Sorry Anna, I wasn't working at the weekend. Lee
Monday, July 21, 2014 8:44 AM
Hi mjolinor,
Many thanks for your reply. The "anotheruser" account is a member of the Domain Admins group. I have also added my account into the "Logon as a Batch" right explicitly.
The same issue occurs...
"Register-ScheduledTask : Access is denied"
Puzzled!
Lee
Tuesday, October 3, 2017 1:19 PM
Does anyone has answer for this problem? I am also facing similar issue.
Komal.
Monday, October 9, 2017 2:14 PM
Did you tried this?
Kind regards,
Tim
MCITP, MCTS, MCSA
http://directoryadmin.blogspot.com
This posting is provided 'AS IS' with no warranties or guarantees and confers no rights.
"If this thread answered your question, please click on "Mark as Answer"