Search code examples
windowsscheduled-taskssql-grantsubinacl

Subinacl: Schedule - OpenService Error : 5 Access is denied

I am trying to grant some permissions for "NonAdmin" user for "Task Scheduler".

If you execute this command:

PS > C:\Windows\System32\sc.exe queryex type= service state=all

you can find that "Task Scheduler" service name is "Scheduler":

SERVICE_NAME: Schedule
DISPLAY_NAME: Task Scheduler

Then I tried to run simple command to display existing rights:

PS >.\subinacl.exe /Service Schedule /display=dacl

Tried to grant some rights:

PS >.\subinacl.exe /Service Schedule /grant=NonAdmin=R

But both commands are throwing Access is denied:

Schedule - OpenService Error : 5 Access is denied.


Elapsed Time: 00 00:00:00
Done:        1, Modified        0, Failed        1, Syntax errors        0
Last Done  : Schedule
Last Failed: Schedule - OpenService Error : 5 Access is denied.

My environment: OS: Windows 8.1 Enterprise; Workgroup: connected to domain (also tried on VM not connected to domain - same access denied); I am administrator; I run PowerShell as administrator.

How I can solve this "Access denied" issues and grant some rights for NonAdmin user for the "Task Scheduler" ?

Updated 28/11/2017:

With RbMm help I gave permissions for the use, he can create new scheduled task now. One problem left that he can`t delete/remove that created task. I giving all most all grants to the user:

"(A;;GAGRGWGXRCSDCCDCLCSWRPWPDTLOCRSDRCFAFRFWFX;;;<USER_SID>)"

But I still get this error when try to delete/remove scheduled task: 

The error returned is: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Notes:

  • This is domain user.
  • I tried to give permissions for the %windir%\Tasks for that user, but it did not helped.

What I am missing, why user can`t delete task?

Solution

  • you can use sc sdshow schedule command for view schedule security descriptor. by default it return string like D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPDTLOCRRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) this mean:

    T FL AcessMsK Sid
A 00 0002008D S-1-5-11 'Authenticated Users'
A 00 000E01DD S-1-5-32-544 'Administrators'
A 00 000F01FF S-1-5-18 'SYSTEM'
A 00 0002008D S-1-5-32-545 'Users'

    note that Administrator not have full access on this service, only E01DD (not have DELETE|SERVICE_STOP|SERVICE_CHANGE_CONFIG)

    for change we can use for example sc sdset schedule D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BU)

    this mean next access:

    T FL AcessMsK Sid
A 00 0002008D S-1-5-11 'Authenticated Users'
A 00 000F01FF S-1-5-32-544 'Administrators'
A 00 000F01FF S-1-5-18 'SYSTEM'
A 00 000F01FF S-1-5-32-545 'Users'

    so users, Administrators, and SYSTEM have full access (F01FF), if you want another access combination - look Security Descriptor String Format