Run task scheduler task on demand from limited user account in windows 7

My goal is to for a limited used to be able to run a netsh script that requires administrative privileges:

netsh wlan stop hostednetwork
netsh wlan start hostednetwork

From my administrative account I created a task scheduler task that runs this script with elevated privileges and saved my admin password in it. It worked. But the task is not visible from the limited user account.

I tried creating the same task from the limited user task scheduler - did not happen, it told me the user has no rights to create the task.

Tried schtasks.exe from the limited user, it also does not show the task I want to run.

Is there a way to share the task I created from the administrative account with a limited user so he is able to run it on demand? Or give him privileges to create the task himself?

Boris Hamanov

Posted 2012-03-18T11:25:53.037

Reputation: 341

Note: Unlike the start command, the stop command does not require administrator privileges. – fefrei – 2014-12-28T19:51:14.563

Answers

Go to C:\Windows\System32\Tasks find the related task and assign "read and execute" rights to the user you want to be able to access it. Be sure to assign to "current object only." Then the task will be visible and runnable from the limited user, and it will work if you saved your credentials in it and checked "run whether user is logged on or not."

Boris Hamanov

Posted 2012-03-18T11:25:53.037

Reputation: 341

1worked for me in Windows 8/8/8.1, but doesn't in Windows 10 [1607]. Even worse: if I create task as limited user, then edit it as admin and deny user all permissions to the task, he still can run it. And other way around – if I create task as admin, then give user full access and even change ownership, he still can't see it neither can run. – LogicDaemon – 2017-02-28T11:28:10.727

1@LogicDaemon Same here, doesn't work on 1607. I've tried giving the user full rights to the task and the entire folder and still access denied. Did you ever find a solution? – Jason – 2017-06-26T20:29:19.997

@jason unfortunately not yet. Only way I know is to create dummy task by running schtasks as user who must run the task, then edit it as admin. This way user keeps ability to run the task. – LogicDaemon – 2017-06-27T16:29:48.290

Alos works on Server 2008 R2 – Jonathan – 2013-11-14T12:41:38.623

Yep, that's terrible problem. Chosen answer no longer works. I'm using Event Log as a work around:

Register 'on an event' trigger for your task, e.g. "Application", "Application", 30204 (your magic number for this task)
Log an event with this id. To do that from commandline / batch, I've wrote dummy 3-line .Net console app.

    using (var eventLog = new EventLog("Application"))
    {
        eventLog.Source = "Application";
        eventLog.WriteEntry("EventLogTriggeer", EventLogEntryType.Information, int.Parse(args[0]));
    }

In my case I've solved security for automated deployments on staging environment. GitHub makes POST request to my node.js backend that runs under IIS AppPool Identity with r/o access to the folder. It verifies hash-signature, and executes:

// delegate to priviledged task
exec('%SystemDrive%\\apps\\EventLogTrigger 30204', (err, stdout, stderr)=> /* ... */);

The remaining part is done via scheduled task that runs deployment script under the user that have permissions to modify files in inetpub. Tasks are individually configured for each server and each website on them, so, the path is hardcoded:

C:\inetpub\ta\autodeploy.cmd

Dmitry Gusarov

Posted 2012-03-18T11:25:53.037

Reputation: 381

Interesting workaround. It may be safer to use a new event log and hard code the ID in the .Net application: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-eventlog?view=powershell-5.1

– Gremio – 2018-05-03T01:06:04.273