>I was asked by a friend of mine to check why a specific batch file was not being called by a job in Task Scheduler. The first thing I did was to check if the account that was used to run the job had the appropriate permissions. The account used was a domain account with limited privileges. The same account can run jobs on other servers but not on this one. Making it a member of the local Administrators group gave it the permissions to run the job but not as a member of the Power Users group. The former not being an option forced me to check the ACLs on other servers and found out that the account does not have permissions on the CMD.EXE file on my %windir%\system32 folder. After giving the Read and Execute permissions to this account, it was able to run the job using Task Scheduler.

I’ve seen systems where the Everyone group is granted the same permissions on the CMD.EXE file and such is not a recommended practice due to security vulnerabilities. I’ll work on a PowerShell script to check a machine for this and remove the Everyone group, if it exists.

Advertisements