Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, November 7, 2016 9:12 AM
Running Windows 10 Version 1607 build 14393.351, clean install of Windows, nothing else.
We have a powershell script that creates scheduled tasks at first logon after a WDS, which has been working fine up until now. Logged in as a local administrator, we get an access denied error when trying to create the task setting the run level to highest. Removing the setting creates the task fine, but we need it to run with highest privileges.
Here is the powershell:
$action = New-ScheduledTaskAction -Execute 'c:\Windows\System32\shutdown.exe' -Argument '-r -t 00'
$trigger = New-ScheduledTaskTrigger -Daily -At 1am -DaysInterval 1 -RandomDelay 04:00:00
$settings = New-ScheduledTaskSettingsSet -WakeToRun -AllowStartIfOnBatteries
$description = "Restart Workstation between 1am and 5am Daily"
Register-ScheduledTask -TaskName "Restart Workstation Daily" -Action $action -Trigger $trigger -User "[email protected]" -Password "PaSsWoRd" -RunLevel Highest -Description $description -Settings $settings
And here is the error message:
Register-ScheduledTask : Access is denied.
At C:\logs\ScheduledTasks.ps1:6 char:1
- Register-ScheduledTask -TaskName "Restart Workstation Daily" -Action ...
-
+ CategoryInfo : PermissionDenied: (PS_ScheduledTask:Root/Microsoft/...S_ScheduledTask) [Register-ScheduledTask], CimException
+ FullyQualifiedErrorId : HRESULT 0x80070005,Register-ScheduledTask
Like I said, removing -RunLevel Highest allows the task to be created, and this is on a fresh install of Windows 10 logging in as local admin, works perfectly on Windows 8, so I'm guessing something has changed in Windows 10.
Anyone have any ideas?
All replies (1)
Monday, November 7, 2016 11:45 AM
Hello
Run with highest privileges means that it runs with the highest privileges available to that user. This is different from the context menu's 'Run As Admin'. 'Run As Admin' will use an elevated token if the account has the right permissions - but if not, like the case of a standard user account, it prompts you to run as a different user. By contrast, 'Run with highest privileges' just generates the highest privilege token for the specific user - it cannot run as a different user.
This makes a difference in certain things, when using an account with elevated permissions. For example, a local administrator is part of the 'Administrators' local group. However, when logging in with the local administrator account (or running a task), by default, it uses a 'low privilege' token, which doesn't contain the membership for the 'Administrators' group. So, running in 'low privilege' and then trying to access a file that is only accessible to 'Administrators' will fail in low privilege mode (even though your account is a member of the Administrators group). 'Run with highest privileges' creates the full token which does include the Administrators group membership, so could access
Regards, Regin Ravi