> For the complete documentation index, see [llms.txt](https://www.osdeploy.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.osdeploy.com/archive/blog/2021/scheduled-tasks/task-permissions.md).

# Task Permissions

Every Task contains permissions, called a Security Descriptor which defines who has rights to the Scheduled Task

## Regedit

You can find the Security Descriptor of your task by looking in the Registry

```
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree
```

![](/files/-MRIp5i0NVzr8AW8VfA7)

## PowerShell

You can get the Security Descriptor in PowerShell using the Task Scheduler API

{% embed url="<https://docs.microsoft.com/en-us/windows/win32/api/_taskschd/>" %}

```
$TaskScheduler = New-Object -ComObject Schedule.Service
$TaskScheduler.Connect()
$Task = $TaskScheduler.GetFolder('\PowerShell').GetTask('Set-ExecutionPolicy Bypass')
$SecurityDescriptor = $Task.GetSecurityDescriptor(0xF)
Write-Host "SecurityDescriptor:" -ForegroundColor Cyan
$SecurityDescriptor
```

![](/files/-MRIt3AqIWlO3KvyejJt)

If you want to know more about Security Descriptor Definition Language, feel free to study this link

{% embed url="<https://docs.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language>" %}

To convert the SDDL String to an ACL, simply run this command

```
(ConvertFrom-SddlString -Sddl $SecurityDescriptor).DiscretionaryAcl
```

![](/files/-MRItm3EV9UK2qqjfgds)

Which should confirm that a Standard User does not have rights to READ or EXECUTE the Scheduled Task

## Granting Access

Granting access to Authenticated Users for READ and EXECUTE is as simple as connecting to the Task Scheduler API and adding **`(A;;GRGX;;;AU)`** to the Security Descriptor using the following code

```
$Scheduler = New-Object -ComObject "Schedule.Service"
$Scheduler.Connect()
$GetTask = $Scheduler.GetFolder($TaskPath).GetTask($TaskName)
$GetSecurityDescriptor = $GetTask.GetSecurityDescriptor(0xF)
if ($GetSecurityDescriptor -notmatch 'A;;0x1200a9;;;AU') {
    $GetSecurityDescriptor = $GetSecurityDescriptor + '(A;;GRGX;;;AU)'
    $GetTask.SetSecurityDescriptor($GetSecurityDescriptor, 0)
}
```

## Full Script

Here is the full script to run

```
#Requires -RunAsAdministrator

$TaskName = 'Set-ExecutionPolicy Bypass'
$TaskPath = '\Corporate\PowerShell'
$Description = @"
Set-ExecutionPolicy Bypass -Force  
Runs as SYSTEM and does not display any progress or results
"@

$Action = @{
    Execute = 'powershell.exe'
    Argument = 'Set-ExecutionPolicy Bypass -Force'
}
$Principal = @{
    UserId = 'SYSTEM'
    RunLevel = 'Highest'
}
$Settings = @{
    AllowStartIfOnBatteries = $true
    Compatibility = 'Win8'
    MultipleInstances = 'Parallel'
    ExecutionTimeLimit = (New-TimeSpan -Minutes 60)
}
$ScheduledTask = @{
    Action = New-ScheduledTaskAction @Action
    Principal = New-ScheduledTaskPrincipal @Principal
    Settings = New-ScheduledTaskSettingsSet @Settings
    Description = $Description
}

New-ScheduledTask @ScheduledTask | Register-ScheduledTask -TaskName $TaskName -TaskPath $TaskPath -Force

$Scheduler = New-Object -ComObject "Schedule.Service"
$Scheduler.Connect()
$GetTask = $Scheduler.GetFolder($TaskPath).GetTask($TaskName)
$GetSecurityDescriptor = $GetTask.GetSecurityDescriptor(0xF)
if ($GetSecurityDescriptor -notmatch 'A;;0x1200a9;;;AU') {
    $GetSecurityDescriptor = $GetSecurityDescriptor + '(A;;GRGX;;;AU)'
    $GetTask.SetSecurityDescriptor($GetSecurityDescriptor, 0)
}
```

## Results

After running the PowerShell script as an Administrator, I can now log in as a Standard User and see the Task in Task Scheduler. The PowerShell window shows the current Execution Policy, an error showing that I don't have permissions to change the Execution Policy, and finally running the Scheduled Task and displaying the Execution Policy results after running the Task

![](/files/-MRIxx8LzwwUTTK7ouLA)

## References

{% embed url="<https://michlstechblog.info/blog/windows-run-task-scheduler-task-as-limited-user/>" %}

{% embed url="<https://superuser.com/questions/1475639/how-to-fix-broken-permissions-for-windows-scheduled-task>" %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://www.osdeploy.com/archive/blog/2021/scheduled-tasks/task-permissions.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.