10

My goal is to for a limited used to be able to run a netsh script that requires administrative privileges:

netsh wlan stop hostednetwork
netsh wlan start hostednetwork

From my administrative account I created a task scheduler task that runs this script with elevated privileges and saved my admin password in it. It worked. But the task is not visible from the limited user account.

I tried creating the same task from the limited user task scheduler - did not happen, it told me the user has no rights to create the task.

Tried schtasks.exe from the limited user, it also does not show the task I want to run.

Is there a way to share the task I created from the administrative account with a limited user so he is able to run it on demand? Or give him privileges to create the task himself?

Improve this question
1
  • Note: Unlike the start command, the stop command does not require administrator privileges.
    – fefrei
    Commented Dec 28, 2014 at 19:51

2 Answers 2

Reset to default
18

Go to C:\Windows\System32\Tasks find the related task and assign "read and execute" rights to the user you want to be able to access it. Be sure to assign to "current object only." Then the task will be visible and runnable from the limited user, and it will work if you saved your credentials in it and checked "run whether user is logged on or not."

Improve this answer
4
  • Alos works on Server 2008 R2
    – Jonathan
    Commented Nov 14, 2013 at 12:41
  • 1
    worked for me in Windows 8/8/8.1, but doesn't in Windows 10 [1607]. Even worse: if I create task as limited user, then edit it as admin and deny user all permissions to the task, he still can run it. And other way around – if I create task as admin, then give user full access and even change ownership, he still can't see it neither can run.
    – LogicDaemon
    Commented Feb 28, 2017 at 11:28
  • 1
    @LogicDaemon Same here, doesn't work on 1607. I've tried giving the user full rights to the task and the entire folder and still access denied. Did you ever find a solution?
    – Jason
    Commented Jun 26, 2017 at 20:29
  • @jason unfortunately not yet. Only way I know is to create dummy task by running schtasks as user who must run the task, then edit it as admin. This way user keeps ability to run the task.
    – LogicDaemon
    Commented Jun 27, 2017 at 16:29
5

Yep, that's terrible problem. Chosen answer no longer works. I'm using Event Log as a work around:

  1. Register 'on an event' trigger for your task, e.g. "Application", "Application", 30204 (your magic number for this task)

  2. Log an event with this id. To do that from commandline / batch, I've wrote dummy 3-line .Net console app.

    using (var eventLog = new EventLog("Application"))
    {
        eventLog.Source = "Application";
        eventLog.WriteEntry("EventLogTriggeer", EventLogEntryType.Information, int.Parse(args[0]));
    }

In my case I've solved security for automated deployments on staging environment. GitHub makes POST request to my node.js backend that runs under IIS AppPool Identity with r/o access to the folder. It verifies hash-signature, and executes:

// delegate to priviledged task
exec('%SystemDrive%\\apps\\EventLogTrigger 30204', (err, stdout, stderr)=> /* ... */);

The remaining part is done via scheduled task that runs deployment script under the user that have permissions to modify files in inetpub. Tasks are individually configured for each server and each website on them, so, the path is hardcoded:

C:\inetpub\ta\autodeploy.cmd
Improve this answer
1

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .