Stubby said:
Great tip! Do all acheduled jobs run as SYSTEM? Can anyone fire off
such a job? I hope there are controls on this.
I have to credit ISC for the tip..
Only administrators can schedule jobs with 'AT'.
Regular users will get 'Access is denied'
Of course, on the average system, everyone is an administrator. In WinXP home
installs, virtually everyone has to be, because to be otherwise is to live in a
strait jacket. XP Professional has somewhat less restrictive levels and
controls similar to 2K.
Having unrestricted access via NT AUTHORITY\SYSTEM is, in my view, an extremely
bad idea. I'm not even comfortable giving trusted users the password to the
'root' account on our unix servers, preferring to provide access to things that
must be done as root to either properly written software that runs setuid, or
access via sudo. This brings up a question: Is it possible to run a given task
as an administrator (or user X), even if the user running it is not an
administrator. The 'Run As' service does not help in this regard as it requires
a password; i.e. in the same way as the unix 'passwd' command does (changes the
user's password, needs write access to files owned by root, hence runs as root,
but runnable without the root password by ordinary mortals)
I'd have expected this to be a local policy setting, somewhere under User Rights
Assignment in secpol.msc, but it is either not there, or I've gone blind. There
is nothing in the online help that suggests that it is administrators only, but
I beleive the ability to schedule tasks revolves around the ability to write to
C:\WINNT\Tasks - Explorer will not show you the permissions on this directory,
you'll have to jump to the shell and examine it with CACLS instead (because
explorer is being 'helpful' (i.e. useless) because it knows the directory has
special properties)
Jim
