Minimum level of access required for service account to run a scheduled task on server?

Question

We have 2 domain administrator accounts in Active Directory: "Administrator" and "Robocopy".

Robocopy is a service account associated with a scheduled task which executes a batch file- which runs Robocopy (on our SBS 2003 file server/domain controller).

The reason this account was made a member of the "domain administrator" group a couple of years ago when it was created was because I was unable to assign a non-domain administrator account in Scheduled Tasks to run a batch file on the server.

enter image description here

I would now like to restrict the "Robocopy" account as much as possible- including denying it network access so that it cannot be used to log on to anything other than the server.

At the very least, I am looking to remove the "Robocopy" account from the "domain administrators" group.

What is the best-practice method for achieving this?

Update:

Could any of these default security groups be used be used to achieve what I want?

enter image description here

I know it's a Monday morning, but there is no need to take it out on me by marking my question down without giving a reason. — Austin ''Danger'' Powers, Jul 15 '13 at 13:58

score 3 · Accepted Answer · edited Apr 13 '17 at 12:14

3

The security policy in the Default Domain Controllers Group Policy Object (GPO) doesn't permit unprivileged users to logon interactively or as batch jobs (which is how Scheduled Tasks run) on Domain Controller (DC) computers. Your first problem in making this account unprivileged (which is a good idea) is going to be modifying the security policy.

Your cmd.exe permissions may need to be changed, too, because non-Administrator users are restricted from executing scripts non-interactively in Windows 2003.

Once you've taken care of that you'll also need to sort out making sure that the user account running robocopy actually has rights to read and write to the source and destination locations. Since the account has been privileged in the past you haven't really had to worry about that.

edited Apr 13 '17 at 12:14

Community

1

answered Jul 15 '13 at 14:22

Evan Anderson

141,071
19
191
328

Thanks Evan. That's very interesting- I didn't realize the ability of an account to logon interactively (or run batch jobs) on a server could be configured in Group Policy. Will explore that later today. – Austin ''Danger'' Powers Jul 15 '13 at 14:38
1

*Anything* can be configured from Group Policy. ("When all you have is a hammer...") – Evan Anderson Jul 15 '13 at 15:22
Your answer nearly 3 years ago to another question seems to apply perfectly here: http://serverfault.com/questions/211283/why-isnt-my-scheduled-task-running-a-batch-script?lq=1 The KB you cited there will be where the most elegant solution lies. Thanks again! – Austin ''Danger'' Powers Jul 16 '13 at 02:48
@Austin''Danger''Powers - That happens to me more and more every day. – Evan Anderson Jul 16 '13 at 03:05
I have updated my question with a screenshot showing 10 default security groups on the server. Could making the service account a member of one of these (instead of the domain administrator group) work? – Austin ''Danger'' Powers Jul 18 '13 at 19:40

Minimum level of access required for service account to run a scheduled task on server?

1 Answers1