Navigation

Home
dasBlog
CodePlex
newtelligence AG

Search

Categories

 
 
 
 
 
 
 
 
 
 
 
 
 

On this page

Archive

January, 2010 (1)
December, 2009 (3)
October, 2009 (2)
September, 2009 (1)
January, 2009 (2)
September, 2008 (2)
August, 2008 (1)
April, 2008 (4)
March, 2008 (2)
January, 2008 (2)
December, 2007 (2)
October, 2007 (4)
September, 2007 (1)
July, 2007 (1)
May, 2007 (6)
April, 2007 (6)
January, 2007 (4)
December, 2006 (3)
October, 2006 (2)
September, 2006 (2)
August, 2006 (2)
July, 2006 (2)
June, 2006 (1)
May, 2006 (3)
December, 2005 (1)
November, 2005 (2)
October, 2005 (6)
September, 2005 (5)
August, 2005 (2)
July, 2005 (8)
May, 2005 (4)
April, 2005 (1)
February, 2005 (4)
January, 2005 (6)
December, 2004 (13)
November, 2004 (3)
October, 2004 (3)

Blogroll

[Feed] Omar Shahine
[Feed] Scott Hanselman

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

RSS 2.0 | Atom 1.0 | CDF

Send mail to the author(s) E-mail

Total Posts: 120
This Year: 1
This Month: 0
This Week: 0
Comments: 40

Sign In
Pick a theme:

# Monday, August 28, 2006
Win2k3 server, how I love thee, let me count the ways
Monday, August 28, 2006 2:30:25 PM (Mountain Daylight Time, UTC-06:00) ( )

Creating a Scheduled task with a named account is a fun thing to do.

You get to do all sorts of wonderful things.

Including paying attention to this KB and the associated implications

http://support.microsoft.com/?id=867466

When your Scheduled task is a batch file, that account HAS to have READ & EXECUTE access to the CMD.EXE file in %SYSTEMROOT%\SYSTEM32

If you don't you get a wonderfully non-descript error of 0x80070005: Access is denied. This shows up in Task Scheduler as "Cannot start task"

Anyway - the problem is solved by adding an Access Control Entry (ACE) to the Access Control List (ACL) to the file for a well known security ID. Which one?
The one I needed was...
 
SID: S-1-5-3
Name: Batch
Description: A group that includes all users that have logged on through a batch queue facility. Membership is controlled by the operating system.
 
I was trying to setup a scheduled task using a domain user. Thusly, they have to have the ability to login as a batch, which should be setup automagically when creating the job. They're not logged on Interactively (the console), and they're not running as a service (services.msc). We're definately not running under telnet, and that user shouldn't be an administrator for obvious reasons. That leaves us with the final solution.
 
Also, if the scheduled task is a batch file, that user has to have access to the CMD.EXE file in %SYSTEMROOT%\SYSTEM32\
On windows 2003 server by default, that file has the ACL
 
BUILTIN\Administrators:F
NT AUTHORITY\INTERACTIVE:R
NT AUTHORITY\SERVICE:R
NT AUTHORITY\SYSTEM:F
SERVERNAME\TelnetClients:R
 
I needed to have an ACE for
 
NT AUTHORITY\BATCH:R
 
 in that list for my task to work
Comments [0] | | # 
Comments are closed.