guitarrapc
commented
8 years ago @Zuldan Hi, This is Windows Scheduler Trick conflict with PowerShell DSC Mechanism. ref: https://social.technet.microsoft.com/Forums/office/en-US/51eedd25-1123-4050-a822-d130183a5b70/the-user-account-does-not-have-permission-to-run-this-task?forum=winservergen
All the reason this happen is because "PowerShellDSC run as SYSTEM". Let me explain issue first.
When Issue happen
When all of below was established.
- Scheduled Task Execution User is differ from currently logged on user
- Scheduled Task has set as "run whether user is logged on or not"
- Scheduled Task was created with other user who should have sufficient privilege. (Mostly happen when Scheduled Task was created with BuildIn\SYSTEM account or custom account)
Let's check what the difference with Manually created (no issue) and DSC create (have issue).
Manually create SchedulerTask
TaskName is hoge
Let's think about when you create SchedulerTask with logged on as Administrator, and run as "demo-user". LoggedInUser, means Administrators in this case, has "FULLCONTROL" ACL for the created SchedulerTask
DSC create SchedulerTask
TaskName is MyTask-Test123
Now the case for DSC. When DSC create SchedulerTask it use SYSTEM account in default. So the LoggedInUser, means SYSTEM in this case, has "FULLCONTROL" ACL for the created SchedulerTask and Administrators has only less privilege.
Compare Task Scheduler XML
| Test | Result |
|---|---|
| XML Definition | There are no difference at all. Both ScheduledTask is completely same.  |
| ACL | Here's the answer. checking the Task Files, Administrators has FULLCONTROL for hoge even when Only have WRITE access with MyTask-Test123.  |
How to avoid issue
As issue is simply because DSC run as SYSTEM,there are 2 way you can use.
Resolve 1. If you are using WMF 5.0, then use PsDscRunAsCredential to execute SchedulerTask as you want. (I think Administrator is fine)
configuration WMF5
{
param( [PSCredential]$Credential, [PSCredential]$AdministratorCredential )
Import-DscResource -ModuleName GraniResource;
cScheduleTask MyScheduledTask
{
Ensure = 'Present'
Credential = $Credential
TaskName = 'MyTask-Test123'
Runlevel = 'Highest'
Compatibility = 'Win8'
Hidden = $False
Disable = $False
Execute = 'powershell.exe'
Argument = "-NoProfile -Command dir"
ScheduledAt = [Datetime]::Now.ToString("hh:mm:ss")
Daily = $True
PsDscRunAsCredential = $AdministratorCredential
}
}Resolve 2. If you are using WMF4 or don't want to use PsDscRunAsCredential, then Use Grani_ACL Resource to add FULLCONTROL privilege for the Task file. Following is the sample configuration.
configuration OverrideACL
{
param( [PSCredential]$Credential )
Import-DscResource -ModuleName GraniResource;
Node localhost
{
cScheduleTask MyScheduledTask
{
Ensure = 'Present'
Credential = $Credential
TaskName = 'MyTask-Test123'
Runlevel = 'Highest'
Compatibility = 'Win8'
Hidden = $False
Disable = $False
Execute = 'powershell.exe'
Argument = "-NoProfile -Command dir"
ScheduledAt = [Datetime]::Now.ToString("hh:mm:ss")
Daily = $True
}
cAcl OverrideACLforAdministrators
{
Path = "C:\Windows\System32\Tasks\MyTask-Test123"
Account = "Administrators"
Rights = "FullControl"
Ensure = "Present"
}
}
}I confirmed 2 works perfect.
Can you try it?
Zuldan
@guitarrapc, when I run the following config and then try to 'Right click' on the Scheduled Task in Task Scheduler and click on "Run", I get the error "The user account does not have permissions to run this task". If I create the same scheduled task using the same account, I don't get any permission issues.
v3.7.6
cScheduleTask MyScheduledTask { Ensure = 'Present' Credential = $Credential TaskName = 'MyTask-Test123' Runlevel = 'Highest' Compatibility = 'Win8' Hidden = $False Disable = $False
Execute = 'powershell.exe' Argument = "-NoProfile -Command
"dir"" ScheduledAt = [datetime](New-TimeSpan -Hours 01 -Minutes %28Get-Random -Maximum 119%29).ToString("hh:mm:ss") Daily = $True }