I have a batch file set to run via Task Scheduler in Windows Server 2008 R2. The batch file is being used to rotate and compress MySQL logs, and the folder containing these logs is encrypted using the Windows built in EFS encryption. I found a VBS script which will compress (zip) a folder, and I'm using this to compress the old log file(s) after rotation. The batch file runs fine if I run it at the command line.
The problem is when I try to have Task scheduler run it. I have it set to run once a day, and is running as myself (I have access and can view the encrypted log files, etc). But when the task runs (either at the scheduled time or if I manually run the task) it chokes when running the VBS script, saying it's unauthorized. When the batch file calls CScript to run the VBS script, is CScript running as the same user (myself)? I'm just calling it from the batch file as follows:
CScript zipIt.vbs %TEMPDIR% %ARCHIVEDIR%\%TARGETZIP%
Here are the contents of the VBS script:
Set objArgs = WScript.Arguments
InputFolder = objArgs(0)
ZipFile = objArgs(1)
CreateObject("Scripting.FileSystemObject").CreateTextFile(ZipFile, True).Write "PK" ^& Chr(5) ^& Chr(6) ^& String(18, vbNullChar)
Set objShell = CreateObject("Shell.Application")
Set source = objShell.NameSpace(InputFolder).Items
objShell.NameSpace(ZipFile).CopyHere(source)
wScript.Sleep 2000
I'm not very knowledgeable with VBS or Windows administration in general, but I'm guessing that this script is having trouble creating a new file in the encrypted folder. Because when I turn off the folder encryption it works ok from Task Scheduler. I was thinking of calling CScript using "Runas" with my own credentials, but I wouldn't want to have my password stored in the batch file in the clear, since other users have access to these files (DatabaseAdmin, etc). In Task Scheduler, there is an option to "Run with highest privileges". Would this fix the problem? I was avoiding this because I figured I should try to figure out how to get it to work with the least privileges possible.
UPDATE: While poking around, I found that I actually do NOT have ability to unencrypt the MySQL log file, even though I DO have that ability for the containing folder (verified by cipher.exe /c). The only account with unencrypt permission was SYSTEM. This might be because the MySQL log is created by the tool "MySQLAdmin flush-logs". As I understand it, files created by applications are owned by SYSTEM (not 100% sure on that). Maybe I have to call MySQLAdmin flush-logs in my script by using "runas". But then I have the same problem of not wanting to store my credentials in the batch file in clear text. Will test when I can.
Any help is appreciated.
