Powershell – Why does powershell -command “Restart-Service Tomcat6” fail when run from a Scheduled Task

powershellscheduled-taskwindows-server-2008

I get the following error in the Scheduled Task history when I try to run a task:

Task Scheduler successfully completed task "\Restart Tomcat" ,
instance "{264b4620-5f3b-6c5f-a6cb-1625a7fa57de}" ,
action "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE"
with return code 1.

The scheduled task is configured as follows:

  • Name: Restart Tomcat
  • User: DOMAIN\tomcat.restarter
  • Triggers: Daily 2AM Enabled
  • Actions: Start a Program:
    • Program/script: powershell
    • Arguments: -Command "Restart-Service Tomcat6"

When I launch a Command Prompt as DOMAIN\tomcat.restarter with:

runas /user:DOMAIN\tomcat.restart cmd

And run:

powershell -Command "Restart-Service Tomcat6"

Then echo %errorlevel% prints 0 and Tomcat gets restarted. This shows that the SDDL on the Tomcat6 service is sufficient for the purpose and that DOMAIN\tomcat.restarter can restart it.

If I change the scheduled task arguments to -Command "'hello world'" > '%TEMP%\Temp.log' I get return code 0 in the Task History and hello world shows up in C:\Users\tomcat.restarter\AppData\Local\Temp\Temp.log. This shows that the Log on as a batch job User Right is effective for DOMAIN\tomcat.restarter, that it can run Powershell and that it can write files.

UPDATE: Further investigation

I created a restart.bat in D:\tomcat\bin and set the Program/script to restart.bat, arguments to > "%TEMP%\Temp.log" 2>&1 and Start in to D:\tomcat\bin.

Listing of restart.bat:

powershell -Command "Restart-Service Tomcat6"

I get the following in C:\Users\tomcat.restarter\AppData\Local\Temp\Temp.log I get the following content:

D:\tomcat\bin>powershell -Command "Restart-Service Tomcat6" 
Restart-Service : Cannot open Tomcat6 service on computer '.'.
At line:1 char:16
+ Restart-Service <<<<  Tomcat6
    + CategoryInfo          : NotSpecified: (:) [Restart-Service], InvalidOper 
   ationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.Power 
   Shell.Commands.RestartServiceCommand

Why does powershell -Command "Restart-Service Tomcat6" fail when run from a Scheduled Task?

Best Answer

tl;dr

My SDDL was incomplete. I needed to add SW (EnumDeps) to the already added LCRPWP permissions in the SDDL.

Long Version

Here is the (sanitized) version of my (broken) SDDL:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;LCRPWP;;;S-1-1-11-1111111111-1111111111-1111111111-1111)

The problem is in the last clause permissions:

(A;;LCRPWP;;;S-1-1-11-1111111111-1111111111-1111111111-1111)

The SID S-1-1-11-1111111111-1111111111-1111111111-1111 is correct for the group DOMAIN\Tomcat Restarters that DOMAIN\tomcat.restarter is a member of. That much is right. The permissions granted (LCRPWP) are insufficient for Restart-Service.

For the Restart-Service Cmdlet to work it needs the right to Enumerate Dependent Services. In SDDL this is SW (EnumDeps) in the SDDL string. I had LCRPWP which allows QueryStat, Start and Stop.

The correct SDDL for Tomcat 6 for me is:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;LCSWRPWP;;;S-1-1-11-1111111111-1111111111-1111111111-1111)

The mystery is why Powershell could run Restart-Service from a runas Command Prompt, but not from the Task Scheduler.

I got the necessary revelation from reading @splattered bits answer to his own similar issue with Restart-Service at https://serverfault.com/a/357753/57073.

Related Topic