TechTip: Run scheduled tasks on Windows 2003 using a non-administrative account

Many organization restrict the use of accounts with local administrator privileges for running scheduled tasks. Using individual "service" accounts with limited permissions for running scheduled tasks is a very good practice from information security perspective, since it allows to continue applying password retention policies to administrative accounts, without breaking the scheduled tasks every time the password is changed. However, due to Windows 2003 granting default "Read & Execute" permissions differently from Windows 2000 (it no longer assigns them to entire "Users" group by default), it makes running scheduled batch scripts using non-administrative accounts impossible on Windows 2003.

If you try to run a scheduled batch file on Windows Server 2003 (which you may want to do for many reasons, such as backing up your files or restarting services), using a non-administrator account, you will most likely receive a following error message:

0x80070005: Access is denied.

Instead of resorting to running the scheduled batch file as a local administrator, you can grant the user account running this scheduled task Read and Execute permissions on cmd.exe as a workaround:

1. Navigate to C:\Windows\System32 (or whichever %windir%\System32 folder is on your system).
2. Right-click on cmd.exe and click "Properties".
3. Under "Security" tab click "Add" to bring up the "Select Users and Groups" dialog
4. Enter the name of the unprivileged account that the scheduled task will run under and click "OK"
5. "Read & Execute" permissions will be selected by default, so just click "OK" on the "cmd.exe Properties" dialogue and you're done.

Alternatively, if you have multiple scheduled batch files and user accounts and you don't want to modify permissions for every single one of them, you can grant "Read & Execute" permissions on cmd.exe to the entire local "BATCH" group, which will permit all batch proccesses to execute cmd.exe, regardless of the user initiating them. To do that, just enter "BATCH" (no quotes) instead of the individual account name in step 4 above.

Microsoft's KB has an article addressing this issue here.

No comments: