Win OS – Task Scheduler – Access Rights – Read & Synchronize

Background

Let us move another pebble in our understanding of Scheduled Tasks.

Tasks are saved as files in the File System.

Lineage

Here are earlier posts on our journey:

  1. Task Scheduler – The user account is unknown, the password is incorrect, or the user account does not have permission to modify the task”
    Link
  2. Raimund Andrée – NTFSSecurity
    Link
  3. Raimund Andrée – NTFSSecurity – Usage Scenario – Day 1
    Link

Error

Here is the original message graciously captured by our developer.

Image

Textual

Task Scheduler cannot apply your change.

The user account is unknown, the password is incorrect, or the user account does not have permission to modify the task.

Scenarios

Review permissions

Remote DB Server

Code


set _folder=\\p-hrdb01\c$\Windows\System32\Tasks\PS\HRDB\DBA\SQLServer

powershell .\..\getNTFSPermissions.ps1 -folder %_folder% 

Output

Explanation

  1. Inherited Permissions
    • We are not showing inherited permissions
  2. Explicit Permissions
    • NT AUTHORITY\SYSTEM
      • Access Rights
        • Read, Synchronize
          • Read
            • The user that has been assigned to run this script is granted Read access
          • Synchronize
            • Same user has also been granted Synchronize permissions
            • The helps lessens the likelihood of disruptions and conflicts as the job is ran and edited

Remote App Server

Code


set _folder=\\p-hrapp01\c$\Windows\System32\Tasks\

powershell .\..\getNTFSPermissions.ps1 -folder %_folder% 

Output

Explanation

  1. Google Update Tasks
    • Tasks
      • C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
      • C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
    • Account :- NT AUTHORITY\SYSTEM
    • Permissions :-
      • ReadAndExecute
      • Synchronize
  2. Ours
    • LaunchSignup
      • Task :- c:\Windows\System32\Tasks\LaunchSignup
      • Account :- daemon Account we created in Active Directory
      • Permissions :- Read, Synchronize
    • Public Equity – Allocated MV Devel
      • Task :- c:\Windows\System32\Tasks\Public Equity – Allocated MV Devel
      • Account :- daemon Account we created in Active Directory
      • Permissions :- Read, Synchronize

Summary

Job’s metadata are saved in files arranged in hierarchical folders.

The Scheduled task creator does not have permissions on the corresponding file.

The account assigned to run the job is granted read permission on the file.

The file captures and contain metadata on the task and so read permission is need for  the account to open the envelope and read its contents.

Advisory

Best practice will suggest the following

  1. Create Folders for different teams
  2. Assign NTFS permissions to folders and files to delegate and manage access

 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s