HOW TO: Prevent Users from Scheduling Tasks in Windows 2000 (310208)


The information in this article applies to:

  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
This article was previously published under Q310208

IN THIS TASK

SUMMARY

The Windows 2000 Task Scheduler enables you to configure Windows to automatically open a document, start a program, or run a script at a preconfigured time. This functionality is convenient for administrators, who can force these tasks to occur at specified times on users' computers. The Task Scheduler starts by default when you start Windows 2000 and runs in the background.

In a high-security environment, Task Scheduler can pose a security threat. Users can create new tasks or delete those that are set to run by the administrator. If you are an administrator, you can control this behavior to provide greater security and ensure that only the tasks that you configure run at the proper time. This article describes how you can prevent users from scheduling tasks.

back to the top

Deny Users Permissions to View or Change Scheduled Tasks

You can set advanced permissions on files and folders so that users do not have permission to view or change a scheduled task. To do so:
  1. Click Start, point to Programs, point to Accessories, point to System Tools, and then click Scheduled Tasks.
  2. Right-click the task on which you want to set permissions, click Properties, and then click the Security tab.
  3. Click Advanced, click the user or group for whom you want to set permissions, and then click View/Edit.
  4. Assign the appropriate permissions.

back to the top

Deny Users the Ability to Create or Delete Scheduled Tasks

You can also deny users the ability to create or delete tasks on a more global basis by using Windows 2000 Group Policy. Microsoft has provided a built-in administrative template to make it easy to accomplish this task. You can apply the policy to the users in a site, domain, or organizational unit. To do so:
  1. Create or edit the applicable group policy.

    For example, if you want this policy to be a domain-wide policy, use the following procedure:
    1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
    2. Right-click the domain name, click Properties, and then click the Group Policy tab.
    3. Click the default domain policy, and then click Edit to open the Group Policy console.
  2. In the left pane of the Group Policy console, click to expand the User Configuration node.
  3. Click to expand Administrative Templates, and then click to expand Windows Components.
  4. Click Task Scheduler.
  5. In the right pane, double-click Disable New Task Creation.

    NOTE: To prevent users from deleting scheduled tasks, double-click Disable Task Deletion.
  6. By default, this policy is not configured. To configure it, click Enabled, and then click OK.
When this policy is enabled, users cannot create new scheduled tasks by using either the New Task Wizard or by pasting, moving, or dragging programs or documents into the Scheduled Tasks folder.

This policy is displayed in the Computer Configuration and User Configuration folders. If both policies are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.

NOTE: This policy does not prevent administrators of a computer from using At.exe to create new tasks or from submitting tasks from remote computers.

back to the top
Modification Type:MajorLast Reviewed:12/18/2003
Keywords:kbhowto kbHOWTOmaster KB310208 kbAudITPro
©2003 Microsoft Corporation. All rights reserved.