A user can schedule a task to run in the security context of a user account that has more user rights (883273)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition

INTRODUCTION

When you use the Scheduled Task Wizard to create a scheduled task on a Microsoft Windows Server 2003-based computer, you must be a member of the Administrators group, the Backup Operators group, or the Server Operators group on the local computer. Additionally, you must type the user name and the password of a user account to schedule the task. When the scheduled task starts, it runs as if it were started by this user. Therefore, the scheduled task runs in the security context of this user account. If you type the user name and the password of a user account that belongs to a group that has more user rights than the group where you are a member, the task will not run as you expect, because the user name and the password are not configured for the task. However, a user may be able to use the schtasks command to schedule a task to run in the security context of a user account that has more user rights, including administrative rights.

MORE INFORMATION

A member of the Administrators group can use the Cacls.exe utility to modify the discretionary access control List (DACL) of the Tasks folder and grant a member of any group permission to create or to modify scheduled tasks. If a member of the Administrators group uses the Cacls.exe utility to modify the DACL of the Tasks folder, a user may be able to use the schtasks command to create a scheduled task to run in the security context of a user account that has more user rights, including administrative rights. However, if the user creates a second scheduled task to run under the same user account that has more rights, the user receives a message that is similar to the following, where taskname is the name of the task:WARNING: The scheduled task taskname has been created, but may not run because the account information could not be set.The scheduled task is created, but the user name and password account information are not configured for the task.

For more information about how to use the Cacls.exe utility to modify a DACL, visit the following Microsoft Web site:

http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Cacls.asp

Modification Type:MinorLast Reviewed:11/30/2004
Keywords:kbinfo kbprb kbtshoot KB883273 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.