0

I have a PowerShell script I've written to do a comparison of Scheduled Tasks between two nodes of our application server cluster. It uses this code to query the tasks from a given server...

function getTasks($server) {
    return Get-ScheduledTask -CimSession $server | 
        Where-Object TaskPath -like '*OurFolder*' | 
        ForEach-Object {
            [pscustomobject]@{ 
                Server = $server
                Path = $_.TaskPath
                Name = $_.TaskName
                Disabled = ($_.State -eq 'Disabled')
                Command = $_.Actions.Execute
                Arguments = $_.Actions.Arguments
                Interval = $_.Triggers.RepetitionInterval
                HashId = "$($_.Actions.Execute)|$($_.Actions.Arguments)"
                HashFull = "$($_.TaskPath)|$($_.TaskName)|$($_.Actions.Execute)|$($_.Actions.Arguments)|$(($_.State -eq 'Disabled'))"
            }
        }
}

It works perfect when run under my domain admin account.

However when I try to run it under our service account as a scheduled task, it gets this error when trying to query the scheduled tasks on the other node ...

Get-ScheduledTask : SERVER.domain.local: Cannot connect to CIM server. Access is denied.
At F:\Applications\TaskSchedulerNodeCompare\compare-nodes.ps1:9 char:12
+     return Get-ScheduledTask -CimSession $server |
+            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
    + FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-ScheduledTask

Googling and looking around it LOOKS like the only way to allow an account to access this list would be to add them to the LocalAdmins on the server in question? But it really doesn't feel right to have to make our service account as a local admin, and obviously we don't want to have the task run under my domain admin account.

I've tried solution no. 3 here, which sounds like it would be it...

1.  As an Administrator of the server, go to Server Manager -> Tools -> Computer Management.  On the left expand "Services and Applications" and right click "WMI Control".  Go to "Properties".
2.  In the newly open Window, click on Security tab.
3.  Expand Root tree, and then click on the node CIMV2, and click the button security
4.  In the newly open Window, click the button Advanced.
5.  In the newly open Window, click the button Add under the permission tab.
6.  In the newly open Window, click on “select a principal", then search for the user you that was having the problem.  
7.  In the applies to, choose “this namespace and subnamespace".
8.  For the permission, check on “Execute Methods", “Enable Accounts" and “Remote Enable"
9.  Click accept on all the open dialogue boxes
10. Restart WMI services.  As an Admininstrator of the server, go to Server Manager -> Tools -> Computer Management.  On the left expand "Services and Applications" and click on "Services".  Go to "Windows Management Instrumentation" and right click it.  Then choose "Restart".
11. Try the command again. The above directions were adapted from this StackOverflow posting.

but even after doing all those steps, it still won't work.

How can I allow our service account to query (read-only) the scheduled tasks from our servers, while being as security conscious as possible?

eidylon
  • 358
  • 1
  • 7
  • 18

1 Answers1

0

From all I know a scheduled tasks can only be seen by the creator or by member of the local admin group. I also doubt that any working solution would cover tasks created after changing permissions on local objects or something similar.

Also, see this question/answer which seems very similar: Permissions or ACL for Scheduled Tasks

Manu
  • 704
  • 2
  • 19