powershell task in task scheduler cannot start-process with another -Credential

2

We have a scheduled task that is a powershell script. The script performs a number of actions against SQL data-bases where the access is controlled via integrated security. Hence each of these actions must be performed by a process that is executing under the appropriate Windows AD credentials, and there is more than one set of credentials that must be used.

Details:

The powershell task is invoked in the task scheduler as follows:

cmd.exe /C ""powershell.exe" -Noninteractive "C:\someDir\SomeScript.ps1" >"C:\logDir\SomeScript.log" 2>&1"

In other words, cmd.exe is the Program/script invoked, the remainder of the line is the Add arguments (optional): part. (We invoke this way for reasons irrelevant to the question at hand, part of which is the way we have architected logging in the script libraries we have developed.).

In the scheduled task settings (General), we select Run whether user is logged in or not and Run with highest privileges. The userID running the task, lets call it ad\admin1, has local admin privileges.

Within the script SomeScript.ps1, we invoke other scripts under different credentials, via

Start-Process $explicitPowershellExe -NonInteractive -Credential $credential -Wait -ArgumentList @( '-file', $scriptForSqlOperations )

The credentials $credential are for users different from ad\admin1. This invocation silently fails to start powershell, though no error is generated. The only clue that powershell fails to start is an event in the "windows Logs"=>System:

Application popup: powershell.exe - Application Error : The application was unable to start correctly (0xc0000142). Click OK to close the application.

Note that we can run the script no problem when run outside of a scheduled task. Running the script SomeScript.ps1 in a logon session for user ad\admin1 succeeds any way we run it. For example, in a cmd.exe console (running with admin), we can run the exact line

cmd.exe /C ""powershell.exe" -Noninteractive "C:\someDir\SomeScript.ps1" >"C:\logDir\SomeScript.log" 2>&1"

and it succeeds, or we can more simply run

powershell -Noninteractive "C:\someDir\SomeScript.ps1"

at the command prompt and all goes well. So the issue is clearly with something in the way TaskScheduler sets up the cmd.exe processes it runs.

Does anyone know what the issue might be and how to get around it? I am suspecting it is some security restriction on impersonation withing a scheduled task????

Thanks.

windows-7
powershell
windows-task-scheduler
task-scheduler
credentials
asked on Super User May 21, 2020 by David I. McIntosh

3 Answers

1

Make sure each user you are trying to execute as has the “logon as a batch job” right.

  1. Open gpedit.msc and navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
  2. Add each user to the Log on as a batch job right.
  3. Run gpupdate
  4. Try your task again.

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job

answered on Super User May 22, 2020 by Appleoddity
0

I believe that the key setting preventing the ability to execute start-process with other credentials from a scheduled task (where account rights are not the issue) is "Run whether user is logged on or not". Using the "Run only when user is logged on" setting does work, but this is of course a problem if you are not logged into the system running the job at the time. Also, I cannot say if this restriction is limited to the start-process command. Other Windows PS commands allow credentials to be passed as well, but like yourself I have not had success with start-process without using the alternative setting. I have not found a definitive explanation for this limitation.

answered on Super User Aug 16, 2020 by bigguitar
0

You can use also PowerShell to give Grant “Log on as a service” rights.

This can be archived by using The Script that is published on Microsoft script center here : https://gallery.technet.microsoft.com/scriptcenter/Grant-Log-on-as-a-service-11a50893#content

.”.\Add Account To LogonAsService.ps1″ “DOMAIN\Account”

Replace “DOMAIN\Account” with the name of the account you want to add to the policy.

Check the source here for more info: https://www.get-itsolutions.com/log-on-as-batch-job-rights/

thnx

answered on Super User Sep 12, 2020 by Enco Trio

User contributions licensed under CC BY-SA 3.0