powershell task in task scheduler cannot start-process with another -Credential
We have a scheduled task that is a powershell script. The script performs a number of actions against SQL data-bases where the access is controlled via integrated security. Hence each of these actions must be performed by a process that is executing under the appropriate Windows AD credentials, and there is more than one set of credentials that must be used.
Details:
The powershell task is invoked in the task scheduler as follows:
cmd.exe /C ""powershell.exe" -Noninteractive "C:\someDir\SomeScript.ps1" >"C:\logDir\SomeScript.log" 2>&1"
In other words, cmd.exe is the Program/script invoked, the remainder of the line is the Add arguments (optional): part. (We invoke this way for reasons irrelevant to the question at hand, part of which is the way we have architected logging in the script libraries we have developed.).
In the scheduled task settings (General), we select Run whether user is logged in or not and Run with highest privileges. The userID running the task, lets call it ad\admin1, has local admin privileges.
Within the script SomeScript.ps1, we invoke other scripts under different credentials, via
Start-Process $explicitPowershellExe -NonInteractive -Credential $credential -Wait -ArgumentList @( '-file', $scriptForSqlOperations )
The credentials $credential are for users different from ad\admin1. This invocation silently fails to start powershell, though no error is generated. The only clue that powershell fails to start is an event in the "windows Logs"=>System:
Application popup: powershell.exe - Application Error : The application was unable to start correctly (0xc0000142). Click OK to close the application.
Note that we can run the script no problem when run outside of a scheduled task. Running the script SomeScript.ps1 in a logon session for user ad\admin1 succeeds any way we run it. For example, in a cmd.exe console (running with admin), we can run the exact line
cmd.exe /C ""powershell.exe" -Noninteractive "C:\someDir\SomeScript.ps1" >"C:\logDir\SomeScript.log" 2>&1"
and it succeeds, or we can more simply run
powershell -Noninteractive "C:\someDir\SomeScript.ps1"
at the command prompt and all goes well. So the issue is clearly with something in the way TaskScheduler sets up the cmd.exe processes it runs.
Does anyone know what the issue might be and how to get around it? I am suspecting it is some security restriction on impersonation withing a scheduled task????
Thanks.
David I. McIntosh3 Answers
Make sure each user you are trying to execute as has the “logon as a batch job” right.
- Open
gpedit.mscand navigate toComputer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment - Add each user to the
Log on as a batch jobright. - Run
gpupdate - Try your task again.
AppleoddityI believe that the key setting preventing the ability to execute start-process with other credentials from a scheduled task (where account rights are not the issue) is "Run whether user is logged on or not". Using the "Run only when user is logged on" setting does work, but this is of course a problem if you are not logged into the system running the job at the time. Also, I cannot say if this restriction is limited to the start-process command. Other Windows PS commands allow credentials to be passed as well, but like yourself I have not had success with start-process without using the alternative setting. I have not found a definitive explanation for this limitation.
bigguitarYou can use also PowerShell to give Grant “Log on as a service” rights.
This can be archived by using The Script that is published on Microsoft script center here : https://gallery.technet.microsoft.com/scriptcenter/Grant-Log-on-as-a-service-11a50893#content
.”.\Add Account To LogonAsService.ps1″ “DOMAIN\Account”
Replace “DOMAIN\Account” with the name of the account you want to add to the policy.
Check the source here for more info: https://www.get-itsolutions.com/log-on-as-batch-job-rights/
thnx
Enco TrioUser contributions licensed under CC BY-SA 3.0