I have a user who needs to run one scheduled task on a Windows 2008 SP2 server. The user does not have domain access. So, I'm creating a local server account. This user needs to be able to RDP into the server, but I would like the account to be locked down.
As far as I know, running scheduled tasks remotely requires admin rights. I'm not sure if it is possible to run scheduled tasks on the server with restricted privileges. Regardless, I only want the user to be able to run one particular task and nothing else. If the user could only see this one task, that would be even better.
My back up plan is a read-only batch file that can be executed by the user, instead of monkeying with windows tasks.
I want to setup the user in the Guests group, yet able to RDP into the server. If Guests is not possible, then perhaps the Users group with RDP privileges.
Here's what I've done so far:
I setup the local account to the Users group.
I opened Terminal Services Configuration and added the local account to the connection and set full permissions. Then, in Local Group Policy Editor, I opened User Rights Assignment, under Local Policies, and added the local account to Allow log on through Terminal Services and also Log on as a batch job.
I tried to RDP into the server with this local account and I get an error message:
The connection was denied because the user account is not authorized for remote login.
Is there anything else I can do? I'm not sure what I'm doing wrong here.
