Task Permissions

Twitter LinkedIn GitHub PowerShell Gallery
Search…
Task Permissions
Every Task contains permissions, called a Security Descriptor which defines who has rights to the Scheduled Task
Regedit
You can find the Security Descriptor of your task by looking in the Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree
PowerShell
You can get the Security Descriptor in PowerShell using the Task Scheduler API
Task Scheduler - Win32 apps
docsmsft
$TaskScheduler = New-Object -ComObject Schedule.Service
$TaskScheduler.Connect()
$Task = $TaskScheduler.GetFolder('\PowerShell').GetTask('Set-ExecutionPolicy Bypass')
$SecurityDescriptor = $Task.GetSecurityDescriptor(0xF)
Write-Host "SecurityDescriptor:" -ForegroundColor Cyan
$SecurityDescriptor
If you want to know more about Security Descriptor Definition Language, feel free to study this link
Security Descriptor Definition Language - Win32 apps
docsmsft
To convert the SDDL String to an ACL, simply run this command
(ConvertFrom-SddlString -Sddl $SecurityDescriptor).DiscretionaryAcl
Which should confirm that a Standard User does not have rights to READ or EXECUTE the Scheduled Task
Granting Access
Granting access to Authenticated Users for READ and EXECUTE is as simple as connecting to the Task Scheduler API and adding (A;;GRGX;;;AU) to the Security Descriptor using the following code
$Scheduler = New-Object -ComObject "Schedule.Service"
$Scheduler.Connect()
$GetTask = $Scheduler.GetFolder($TaskPath).GetTask($TaskName)
$GetSecurityDescriptor = $GetTask.GetSecurityDescriptor(0xF)
if ($GetSecurityDescriptor -notmatch 'A;;0x1200a9;;;AU') {
    $GetSecurityDescriptor = $GetSecurityDescriptor + '(A;;GRGX;;;AU)'
    $GetTask.SetSecurityDescriptor($GetSecurityDescriptor, 0)
}
Full Script
Here is the full script to run
#Requires -RunAsAdministrator
​
$TaskName = 'Set-ExecutionPolicy Bypass'
$TaskPath = '\Corporate\PowerShell'
$Description = @"
Set-ExecutionPolicy Bypass -Force  
Runs as SYSTEM and does not display any progress or results
"@
​
$Action = @{
    Execute = 'powershell.exe'
    Argument = 'Set-ExecutionPolicy Bypass -Force'
}
$Principal = @{
    UserId = 'SYSTEM'
    RunLevel = 'Highest'
}
$Settings = @{
    AllowStartIfOnBatteries = $true
    Compatibility = 'Win8'
    MultipleInstances = 'Parallel'
    ExecutionTimeLimit = (New-TimeSpan -Minutes 60)
}
$ScheduledTask = @{
    Action = New-ScheduledTaskAction @Action
    Principal = New-ScheduledTaskPrincipal @Principal
    Settings = New-ScheduledTaskSettingsSet @Settings
    Description = $Description
}
​
New-ScheduledTask @ScheduledTask | Register-ScheduledTask -TaskName $TaskName -TaskPath $TaskPath -Force
​
$Scheduler = New-Object -ComObject "Schedule.Service"
$Scheduler.Connect()
$GetTask = $Scheduler.GetFolder($TaskPath).GetTask($TaskName)
$GetSecurityDescriptor = $GetTask.GetSecurityDescriptor(0xF)
if ($GetSecurityDescriptor -notmatch 'A;;0x1200a9;;;AU') {
    $GetSecurityDescriptor = $GetSecurityDescriptor + '(A;;GRGX;;;AU)'
    $GetTask.SetSecurityDescriptor($GetSecurityDescriptor, 0)
}
Results
After running the PowerShell script as an Administrator, I can now log in as a Standard User and see the Task in Task Scheduler.  The PowerShell window shows the current Execution Policy, an error showing that I don't have permissions to change the Execution Policy, and finally running the Scheduled Task and displaying the Execution Policy results after running the Task
References
Windows: Permit a limited user to run a schedule task defined by an Administrator
Michls Tech Blog
How to fix broken permissions for Windows scheduled task?
Super User
Building a Task
Task Trigger
Last modified 1yr ago
Copy link
Outline