At the moment, I have task that is configured to run as user "automatictask"
But the task will not run, "unable to start" is shown.
When I add this user to the Administrators group, then the task runs fine.
But in real life…. I want this user to be SUPER restricted…. ONLY able to run this task, no login rights, no file system rights other than to the one batch file….
I have searched high and low for a document that says "here is the most stripped down, basic user that can run a task" ….
There seems to be no such document!
Suggestions?
Thanks!
Best Answer
Other than the filesystem permissions, you'll need to allow
Log on as a batch job. It controls allowing the session to be created for a scheduled task.The task scheduler should put the user in that allow list when you create the task. You can confirm with the Local Security Policy tool. The other possibility is that it's configured through group policy, in which case, do some digging in the resultant set of policy and find the GPO that needs changed.
Here's the other thing: Check out the permissions on
c:\windows\system32\cmd.exe. They're funky. If you've removed the user from theUsersgroup, it can't run cmd.exe by default, which tends to be a big part of running a batch file. Add the user to that ACL, with read/execute. Check any and all executables the batch file needs to touch.