Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, January 4, 2019 8:27 PM
Hello All,
I am trying to schedule a task via GPO for all the users (non admin users, using windows 10) at selected times. The task is to run the .vbs script from selected location. I have confirmed that non admin users have access to the selected script. I have also tested that users can manually run the script successfully. The scheduled task gets (in the "Task Scheduler") created ONLY when ADMIN user logs on.
Problem: When non admin user logs on the task does not get created. This defeats the whole purpose of the creating schedule task.
**Settings I have in the scheduled task properties: **
When running the task, use the following user account: "NT AUTHORITY\System"
Tired both: 1) Run only when user is logged on and 2) Run whether user is logged on or not.
Checked for "Run with highest privileges".
Configured for "Windows Vista or Windows server 2008"
Conditions: checked for "Wake the computer to run this task"
Settings: checked for "Allow task to be run on demand"
Any help/recommendation will be much appreciated!!!!!
Thank you in advance.
All replies (5)
Friday, January 4, 2019 9:39 PM
Have you confirmed that "NT Authority\System" has access to the vbs location?
Also do you have any security setup to limit the use of run as batch process on desktops or servers?
That's part of the NIST compliance, for PCI, Finra, and CIS.. Just want to make sure that's not the case, or you will need to add the exception to that policy for the System, which at that point i would suggest using an administrative account, that doesn't have interactive logon ability but has run as batch..
Rob
Monday, January 7, 2019 7:19 AM
Hi,
Is it a computer configuration or user configuration? It is supposed to be a user configuration according to your requirement.
Based on my knowledge:
If it is part of Computer Configuration, by default the task is run in the security context of the SYSTEM account;
If it is part of User Configuration, by default the task is run in the security context of the logged-on user.
According to your requirement, we can
- Configure this policy Following the steps in the article below
(note: under user configuration)
/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725745(v=ws.11)
- Filter out administrator groups
Remove authenticated users under security filter
Add non-admin user groups
Delegate authenticated users with read permission only
Hope the information above can be helpful.
Best regards,
Lavilian
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, January 7, 2019 7:04 PM
Hi Rob,
This does not work with domain administrator account as well! "When running the task, use the following user account" I input the domain admin account but this never asks me the password for the account.
I have confirmed that domain admin account can access the files and able to run the file successfully.
Another issue I came across is that this GPO policy (creating task scheduler to run a script) does not work on the servers. I can see that the GPO is applied (gpresult /r /scope computer) but even with admin account I cannot see the task in the task scheduler.
Thank you.
Thursday, January 10, 2019 7:44 AM
Hi,
Have you tried the solution I provided above?
Just to confirm the current situation.
Please feel free to let us know if any assistance is needed.
Best regards,
Lavilian
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, January 14, 2019 6:42 AM
Hi,
Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.
Best Regards,
Lavilian
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact [email protected].