In earlier windows server versions (prior to 2016) it was possible to grant non-admin users the permission to run a scheduled task by doing following steps:
- Scheduled Task: run under system, execute script
- Give user read and execute rights on specific task under C:\Windows\System32\Tasks\
Now in server 2016 this doesn't work anymore.
Do you know how to do it?
Thank you
related post, which didn't get answered, neither helped: Allow non-admin user to run scheduled task in Windows Server 2016
Best Answer
After digging into the topic for a while and also trying some suggestions I've came up with this script which requires the PsExec tool from PsTools/SysInternals from Microsoft:
Background: Obviously since Windows 10 (and corresponding Windows Server 2016+) the security settings are not used from the task path (C:\Windows\system32\Tasks) anymore but are stored in the registry:
I've found a script which uses the registry values. It creates a task to run as SYSTEM so you are able to edit the permissions (since Administrators also only have read-only permission).
I've edited this script to shorten it and use PsExec to edit the registry permissions as SYSTEM user.
Place
PsExec.exe
in the same directory as the script, edit the first line to hold the name of the task. Run the script from that directory.From the script author:
(A;ID;0x1301bf;;;AU)
means to addAuthenticated Users
withread and execute
permission.You can create your own permission entry by using Windows Explorer's security tab and read it from command line in SDDL format with this:
Cacls . /S
Replace
.
with the path or file if it's not your current directory.Here is the original script (archive): UnlockScheduledTask.ps1