I am trying to grant some permissions for "NonAdmin" user for "Task Scheduler".
If you execute this command:
PS > C:\Windows\System32\sc.exe queryex type= service state=all
you can find that "Task Scheduler" service name is "Scheduler":
SERVICE_NAME: Schedule
DISPLAY_NAME: Task Scheduler
Then I tried to run simple command to display existing rights:
PS >.\subinacl.exe /Service Schedule /display=dacl
Tried to grant some rights:
PS >.\subinacl.exe /Service Schedule /grant=NonAdmin=R
But both commands are throwing Access is denied:
Schedule - OpenService Error : 5 Access is denied.
Elapsed Time: 00 00:00:00
Done: 1, Modified 0, Failed 1, Syntax errors 0
Last Done : Schedule
Last Failed: Schedule - OpenService Error : 5 Access is denied.
My environment: OS: Windows 8.1 Enterprise; Workgroup: connected to domain (also tried on VM not connected to domain - same access denied); I am administrator; I run PowerShell as administrator.
How I can solve this "Access denied" issues and grant some rights for NonAdmin user for the "Task Scheduler" ?
Updated 28/11/2017:
With RbMm help I gave permissions for the use, he can create new scheduled task now. One problem left that he can`t delete/remove that created task. I giving all most all grants to the user:
"(A;;GAGRGWGXRCSDCCDCLCSWRPWPDTLOCRSDRCFAFRFWFX;;;<USER_SID>)"
But I still get this error when try to delete/remove scheduled task:
The error returned is: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
Notes:
What I am missing, why user can`t delete task?
you can use sc sdshow schedule
command for view schedule
security descriptor. by default it return string like D:(A;;CCLCSWLORC;;;AU)(A;;CCLCSWRPDTLOCRRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCLCSWLORC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
this mean:
T FL AcessMsK Sid
A 00 0002008D S-1-5-11 'Authenticated Users'
A 00 000E01DD S-1-5-32-544 'Administrators'
A 00 000F01FF S-1-5-18 'SYSTEM'
A 00 0002008D S-1-5-32-545 'Users'
note that Administrator not have full access on this service, only E01DD
(not have DELETE|SERVICE_STOP|SERVICE_CHANGE_CONFIG
)
for change we can use for example sc sdset schedule D:(A;;CCLCSWLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BU)
this mean next access:
T FL AcessMsK Sid
A 00 0002008D S-1-5-11 'Authenticated Users'
A 00 000F01FF S-1-5-32-544 'Administrators'
A 00 000F01FF S-1-5-18 'SYSTEM'
A 00 000F01FF S-1-5-32-545 'Users'
so users, Administrators, and SYSTEM have full access (F01FF
), if you want another access combination - look Security Descriptor String Format