1

I get the following error in the Scheduled Task history when I try to run a task:

Task Scheduler successfully completed task "\Restart Tomcat" ,
instance "{264b4620-5f3b-6c5f-a6cb-1625a7fa57de}" ,
action "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE"
with return code 1.

The scheduled task is configured as follows:

  • Name: Restart Tomcat
  • User: DOMAIN\tomcat.restarter
  • Triggers: Daily 2AM Enabled
  • Actions: Start a Program:
    • Program/script: powershell
    • Arguments: -Command "Restart-Service Tomcat6"

When I launch a Command Prompt as DOMAIN\tomcat.restarter with:

runas /user:DOMAIN\tomcat.restart cmd

And run:

powershell -Command "Restart-Service Tomcat6"

Then echo %errorlevel% prints 0 and Tomcat gets restarted. This shows that the SDDL on the Tomcat6 service is sufficient for the purpose and that DOMAIN\tomcat.restarter can restart it.

If I change the scheduled task arguments to -Command "'hello world'" > '%TEMP%\Temp.log' I get return code 0 in the Task History and hello world shows up in C:\Users\tomcat.restarter\AppData\Local\Temp\Temp.log. This shows that the Log on as a batch job User Right is effective for DOMAIN\tomcat.restarter, that it can run Powershell and that it can write files.

UPDATE: Further investigation

I created a restart.bat in D:\tomcat\bin and set the Program/script to restart.bat, arguments to > "%TEMP%\Temp.log" 2>&1 and Start in to D:\tomcat\bin.

Listing of restart.bat:

powershell -Command "Restart-Service Tomcat6"

I get the following in C:\Users\tomcat.restarter\AppData\Local\Temp\Temp.log I get the following content:

D:\tomcat\bin>powershell -Command "Restart-Service Tomcat6" 
Restart-Service : Cannot open Tomcat6 service on computer '.'.
At line:1 char:16
+ Restart-Service <<<<  Tomcat6
    + CategoryInfo          : NotSpecified: (:) [Restart-Service], InvalidOper 
   ationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.Power 
   Shell.Commands.RestartServiceCommand

Why does powershell -Command "Restart-Service Tomcat6" fail when run from a Scheduled Task?

Alain O'Dea
  • 625
  • 3
  • 12
  • 27
  • Can you try `powershell -Command "& { Restart-Service Tomcat6 }"`? I had a similar issue scheduling my own items and had success with that. I do not know why for certain, but I had to use to the `invoke-expression` operator for some reason. – Sean C. Oct 01 '12 at 18:48
  • Did you ever get a chance to try `-Command "& { Restart-Service Tomcat6 }"` as the arguments for the scheduled task? – Sean C. Oct 02 '12 at 13:10

3 Answers3

3

tl;dr

My SDDL was incomplete. I needed to add SW (EnumDeps) to the already added LCRPWP permissions in the SDDL.

Long Version

Here is the (sanitized) version of my (broken) SDDL:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;LCRPWP;;;S-1-1-11-1111111111-1111111111-1111111111-1111)

The problem is in the last clause permissions:

(A;;LCRPWP;;;S-1-1-11-1111111111-1111111111-1111111111-1111)

The SID S-1-1-11-1111111111-1111111111-1111111111-1111 is correct for the group DOMAIN\Tomcat Restarters that DOMAIN\tomcat.restarter is a member of. That much is right. The permissions granted (LCRPWP) are insufficient for Restart-Service.

For the Restart-Service Cmdlet to work it needs the right to Enumerate Dependent Services. In SDDL this is SW (EnumDeps) in the SDDL string. I had LCRPWP which allows QueryStat, Start and Stop.

The correct SDDL for Tomcat 6 for me is:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;LCSWRPWP;;;S-1-1-11-1111111111-1111111111-1111111111-1111)

The mystery is why Powershell could run Restart-Service from a runas Command Prompt, but not from the Task Scheduler.

I got the necessary revelation from reading @splattered bits answer to his own similar issue with Restart-Service at https://serverfault.com/a/357753/57073.

Alain O'Dea
  • 625
  • 3
  • 12
  • 27
0

Does the command require elevation? Even if you have UAC turned all the way down, the scheduled task would need the check box for having elevated privileges.

Steven Murawski
  • 1,570
  • 3
  • 14
  • 25
  • Good idea. However, with "Run with highest privileges" checked the result is the same: "return code 1". – Alain O'Dea Oct 01 '12 at 18:42
  • Have you tried redirecting the output to a text file? Like -Command "Restart-Service Tomcat6 > c:\RestartTomcatOutput.txt" or somewhere the account would have access to? – Steven Murawski Oct 01 '12 at 18:44
  • I have, it creates an empty file. – Alain O'Dea Oct 01 '12 at 19:02
  • I should have clarified. The command does not require elevation. I had granted privileges I thought were sufficient to the user in the Tomcat6 service's SDDL, but I missed "SW" (EnumDeps). – Alain O'Dea Oct 02 '12 at 13:22
0

I was going to add this as a comment but the code handling is horrid:

Can you add a few lines to capture some more info please?

$1 = Get-Service *tomcat*
Restart-Service $1
$1 >log.log
$error >>log.log

$error should output all the error information that has been generated in this session.

$1 will just show what it finds when it searches for the Tomcat service. just in case it can't see it for what ever reason.

Patrick
  • 1,250
  • 1
  • 15
  • 35
  • This is probably paranoia, but I'd be worried about dragging in unintended services with `*tomcat*`. This is especially risky since the next line immediately invokes Restart-Service. It would probably be better to go step by step and log Get-Service `*tomcat*`. Where would log.log end up here? – Alain O'Dea Oct 03 '12 at 16:15
  • @AlainO'Dea You are correct about the Restart-Service being too wide ranging. If I were to do this on my own systems I would run it once and confirm exactly what the service name is, and specifically perform the Get-Service | Restart-Service against that name. The >log.log will save to the working directory of the script. You could easily put >C:\Logs\log.log instead, to define a location. – Patrick Oct 04 '12 at 15:08