Author Posts

November 3, 2017 at 11:27 am

Hi,

I'm trying to allow a non-admin user to run a scheduled task via PS, without giving out more permissions than required.
So far, i have given the user Read+Execute rights on the task file located in C:\Windows\System32\Tasks. This allowed the user to see and run the task in the GUI and Start-ScheduledTask -TaskName "taskname" locally via RDP. But when i try to do the same PS command via invoke command from a workstation, it fails.

How can i get this working without delegating unnecessary permissions?

November 3, 2017 at 1:04 pm

I forgot to mention that i had added the user to the Remote Management Users group, and testet that Invoke-Command servername {hostname} works.

November 3, 2017 at 1:25 pm

I have had some progress in my testing. My solution works for me, but i'd like to know why it behaves like this..

# This works.
Invoke-Command -ComputerName servername -ScriptBlock {schtasks /run /tn "taskname"}

# This doesn't.
Invoke-Command -ComputerName servername -ScriptBlock {Start-ScheduledTask -TaskName "taskname"}

November 3, 2017 at 1:56 pm

What error message do you get?

November 3, 2017 at 2:03 pm

Cannot connect to CIM server. Access denied
    + CategoryInfo          : ResourceUnavailable: (PS_ScheduledTask:String) [Start-ScheduledTask], CimJobException
    + FullyQualifiedErrorId : CimJob_BrokenCimSession,Start-ScheduledTask
    + PSComputerName        : servername

Let me add that the user is a part of the "Protected Users" group.