I want to create ScheduledTask (using powershell) with the following requirements:
It looks like I can use "New-ScheduledTaskPrincipal" for "Run whether user is logged on or not"
My commands are
$principal = New-ScheduledTaskPrincipal -UserID "MYDOMAIN\user_for_scheduled_task" -LogonType S4U -RunLevel Highest Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "Task-1" -Description "Very Important Task-1" -Principal $principal
After executing these commands I see "Do not store password" checked in "Task Scheduler".
This is not controlled by ScheduledTasks. This is of course, controlled by Windows ACL's on the shared resource.
So, have you first used the creds you are referencing to just hit a few of the shares you are needing to access?
If you cannot do it natively via Explorer, net use, etc., then you need to correct that first. If the remote shares are in a different domain, then you can hit the Windows one-hop auth constraint.
I ran my powershell script (manually) from powereshell window working under user I want to schedule this Task.
But the scheduled script can not access remote share after I register Task using the following command:
$principal = New-ScheduledTaskPrincipal -UserID "MYDOMAIN\user_for_scheduled_task" -LogonType S4U -RunLevel Highest Register-ScheduledTask -Action $action ` -Trigger $trigger ` -TaskName "Task-1" ` -Description "Very Important Task-1" ` -Principal $principal
I tried to run the Scheduled Task from Task Scheduler manually and got "PermissionDenied" error.
Also I managed to schedule my Task using the following commands:
Register-ScheduledTask -Action $action ` -Trigger $trigger ` -TaskName "Task-2" ` -Description "Very Important Task-2" ` -User "MYDOMAIN\user_for_scheduled_task" ` -Password "Passw0rd"
It works as a scheduled task when I close RemoteDesktop. It has access to remote shares.
I want to open RemoteDesktop and execute "Register-ScheduledTask" command with parameters that will schedule my Task
I am not sure if it is possible?
Remember, as per the MSDN link I pointed to above.
Meaning, this is no different than using 'local system' for a ST. LS has not authorization to operate anywhere other than the local host. You must be able to pass the full domain credential to a remote resource. Since with S4U you are not doing this, the credential is not complete, and thus will not work.
You should never store passwords in plain text in script files. You should prompt for them each time or prompt for the once and permanently store them on the host where they are to be used.
You must be logged in to reply to this topic.