Is it possible to run CMD script in task scheduler as a particular user without checkin option "Run with highest privileges"?
Simple test:
- Create D:\Admin\Scripts\TestScripts\testscript.cmd
- Script is very simple:
echo success > D:\Admin\Scripts\TestScripts\out.txt
- Grant full permissions to user mydoman\admin (member of Domain Admins group that is included in local Administrators group when server is domain member) to D:\Admin\Scripts\TestScripts and all subdirs and files
- Create task with action:
- command:
D:\Admin\Scripts\TestScripts\testscript.cmd
- start in:
D:\Admin\Scripts\TestScripts
- command:
- Change user to mydoman\admin
- Select "Run whether user is logged on of not"
- DO NOT select "Run with highest privileges"
- OK, enter password, done
Start task manually, and it finishes with code 0x1.
If I check "Run with highest privileges" option it runs fune. out.txt file is created.
The same effect is when the task created with parameters:
- command:
cmd.exe
- args:
/c D:\Admin\Scripts\TestScripts\testscript.cmd
- start in:
D:\Admin\Scripts\TestScripts
The questions are:
- Is it mandatory to check "Run with highest privileges"?
- Can the CMD script run without highest privileges?
- Does MS has any article with clear explanation how and why run CMD files in Task Scheduler?
Best Answer
This is UAC kicking in. Long story short, you need to provide write access to the target directory for the given user, WITHOUT relying on the user's membership of the Administrators group.
e.g.: if the ACLs for the current directory are:
...you need to either add a direct ACL entry, e.g.: username:(OI)(CI)(M) or an ACL entry for a group that the user is a member of.
The reason being, UAC is preventing the membership of the Administrators group having any affect, without prior elevation. This is by design.
I hope this makes sense.