Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Minimum privileges to create Scheduled Tasks

Options
  • 20-11-2012 6:48pm
    #1
    lukin
    Registered Users Posts: 4,037 ✭✭✭


    I want to create a user on a Server 2008 OS whose specific role will be to create scheduled tasks on clients on the domain (the server is a domain controller).
    The purpose of this user is so it can be invoked by "run as" in a C# application I have created that is installed on each PC in the domain.
    This application creates Scheduled Tasks automatically but the user who is logged on at the time may not have the priveleges to create Scheduled Tasks on the PC. This is why I need the application to "run as" a user who has these priveleges.
    From what I have read, the minimum rights needed to create scheduled tasks on a domain is that the user must be added to the group "Backup Operators".
    I did this; creating a user that is in this group and then got the application to "run as" this user.
    However the tasks are not being created. It is not throwing an exception, it just won't do it. The only way I can get it to work is by "run as" the admin of the domain. Even though the app is fairly secure (I get the "run as" credentials via a web service from the server; they are not hardcoded into the app),this is not really satisfactory as I would prefer to "run as" a user who just has the rights to create scheduled tasks and nothing else.
    Even when I create a specific user and give him admin priveleges, it still won't work, it's domain admin or nothing.
    I have tried loads of things (changing settings on the local security policy of the clients and on the server; too many changes to list here) but nothing works.
    Any suggestions would be welcome, thanks.


Comments

  • Options
    #2
    swampgas
    Registered Users Posts: 3,564 ✭✭✭swampgas


    Not my area, but maybe you need to make your app run as a service? (Might need to be compiled as such though). Then have the service run as a user with the appropriate permissions?


  • Options
    #3
    Head The Wall
    Registered Users Posts: 2,892 ✭✭✭Head The Wall


    Performance Log Users may fit the bill for you - Members of this group can manage performance counters, logs and alerts on the server locally and from remote clients without being a member of the Administrators group.

    Failing that there are some command line utilities - Wecutil and WevtUtil


  • Options
    #4
    lukin
    Registered Users Posts: 4,037 ✭✭✭lukin


    Server Operators did it for me in the end. I created a new Global Security group (called it ScheduledTasks) and made it a member of Server Operators. Then I created a user called Task Scheduler and made it a member of ScheduledTasks.
    I made this group the user's Primary Group.


Advertisement