RE: scheduled task by restricted user
From: Curtis Clay III [MSFT] (cclay_at_online.microsoft.com)
Date: 01/14/04
- Next message: Cindy: "Disable System Restore"
- Previous message: viv: "passwd recovery"
- In reply to: Fred: "scheduled task by restricted user"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 14 Jan 2004 14:32:31 GMT
Hello Fred,
If it's a scheduled task you can configure it to run under the system
account or even the administrator's account. See below.
You can use the Task Scheduler tool that runs on every Windows 2000-based
computer to schedule certain Microsoft Management Console (MMC) tools or
other programs to run on a user's computer in the context of the SYSTEM
account. This allows a normal user to manually perform those tasks without
allowing the user to perform any other unauthorized administrative task.
The following example demonstrates how you can allow a normal user who does
not have administrator privileges to run the Disk Management console.
1. From another networked computer in the domain, log on as a user who
has administrator privileges.
2. Type the following command at a command prompt
at \\<machine_name> 1:00pm /interactive %systemroot%\system32\diskmgmt.msc
where \\<machine_name> is the name of the user's computer.
This example starts the Disk Management console on the user's computer at
1:00 P.M. so the locally logged on user can manage or perform maintenance
on the computer's disks. You can adjust the command to fit your needs.
Because Task Scheduler, by default, is run using the local SYSTEM account,
certain tasks that require domain credentials cannot be performed. To test
which tasks can and cannot be performed using this method, use the
following procedure on a test computer to schedule a command prompt:
1. Log on to a Windows 2000 Professional-based computer as a domain
administrator.
2. Start a command prompt by clicking Start, clicking Run, typing
"cmd.exe" (without the quotation marks), and then clicking OK.
3. Run the following command:
at 1:00pm /interactive %systemroot%\system32\cmd.exe
This starts another command prompt using the SYSTEM account and allows you
to test which commands or tasks will run and which ones will not because
they require domain or higher privileges.
For example, running the Dsa.msc (Active Directory) console from the
command prompt does not work because you do not have domain credentials,
but the Dfrg.msc (Disk Defragmenter) console does run because it requires
only local credentials. Using this method, you could schedule Setup for a
program on a floppy disk or CD-ROM that would normally require
administrative privileges to install, without visiting the computer locally.
CAUTION: Be careful not to schedule anything that can be terminated by the
user at the computer that leaves a working command prompt. If the program
you need to run does not require any user input, leave the /interactive
switch off so that the program runs in silent mode and is not accessible to
the user. Microsoft recommends thorough testing before using this method to
ensure you cover any security risks.
This posting is provided "AS IS" with no warranties, and confers no rights.
- Next message: Cindy: "Disable System Restore"
- Previous message: viv: "passwd recovery"
- In reply to: Fred: "scheduled task by restricted user"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
