We have a scheduled task that is a powershell script. The script performs a number of actions against SQL data-bases where the access is controlled via integrated security. Hence each of these actions must be performed by a process that is executing under the appropriate Windows AD credentials, and there is more than one set of credentials that must be used.
Details:
The powershell task is invoked in the task scheduler as follows:
cmd.exe /C ""powershell.exe" -Noninteractive "C:\someDir\SomeScript.ps1" >"C:\logDir\SomeScript.log" 2>&1"
In other words, cmd.exe
is the Program/script
invoked, the remainder of the line is the Add arguments (optional):
part. (We invoke this way for reasons irrelevant to the question at hand, part of which is the way we have architected logging in the script libraries we have developed.).
In the scheduled task settings (General
), we select Run whether user is logged in or not
and Run with highest privileges
. The userID running the task, lets call it ad\admin1
, has local admin privileges.
Within the script SomeScript.ps1
, we invoke other scripts under different credentials, via
Start-Process $explicitPowershellExe -NonInteractive -Credential $credential -Wait -ArgumentList @( '-file', $scriptForSqlOperations )
The credentials $credential
are for users different from ad\admin1
. This invocation silently fails to start powershell, though no error is generated. The only clue that powershell fails to start is an event in the "windows Logs"=>System:
Application popup: powershell.exe - Application Error : The application was unable to start correctly (0xc0000142). Click OK to close the application.
Note that we can run the script no problem when run outside of a scheduled task. Running the script SomeScript.ps1
in a logon session for user ad\admin1
succeeds any way we run it. For example, in a cmd.exe
console (running with admin), we can run the exact line
cmd.exe /C ""powershell.exe" -Noninteractive "C:\someDir\SomeScript.ps1" >"C:\logDir\SomeScript.log" 2>&1"
and it succeeds, or we can more simply run
powershell -Noninteractive "C:\someDir\SomeScript.ps1"
at the command prompt and all goes well. So the issue is clearly with something in the way TaskScheduler sets up the cmd.exe
processes it runs.
Does anyone know what the issue might be and how to get around it? I am suspecting it is some security restriction on impersonation withing a scheduled task????
Thanks.
User contributions licensed under CC BY-SA 3.0