Sage 100

 View Only

  • 1.  Remote start scheduled task without admin permissions...?

    Posted 10-22-2019 16:57
    We set up various processes (VI / VC / SQL Scripts / VBS / FTP...) which need to be triggered from the server.  It's fine when there is a schedule, but sometimes users want to be able to start a batch remotely.
    We've used winrs/winrm for remote start processes, and schtasks too, but both require administrator permissions to the server (or a plain text admin password in a batch file).  I figure if I can get a working script to start a Scheduled Task (set to run as the user I want, but without the remote user given administrator peromissions), that would be ideal.
    I've read that PowerShell can allow remote start processes with more fine tuned permissions, and while trying to set it up on a customer system I keep running into new road blocks.  Has anyone deployed a secure remote start batch process (without giving users admin permissions to the server)?
    Enable-PSRemoting -Force
    winrm set winrm/config/client @{TrustedHosts="*"}
    Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI
    WMI permissions for CIMV2

    WMI permissions for TaskScheduler



    The script itself is very simple...  and it works when the user is a server admin, but not for a normal user (with permissions to PowerShell / remote / WMI...).
    Invoke-Command -ComputerName TheMachingName -ScriptBlock { Start-ScheduledTask -TaskName "TestTask" }




    ------------------------------
    Kevin Moyes
    Technical Systems Analyst
    Munjal White Consulting Co.
    Toronto ON
    ------------------------------


  • 2.  RE: Remote start scheduled task without admin permissions...?

    Posted 10-23-2019 01:30
    Do you require the script to be run AS that user? or you just want to allow the non-admin user to run that task? 

    If it's the latter, then typically, the way I get around this issue is as follows:
    - I create an account (in AD, or Local), and make it admin. No one would have the credentials to it. 
    - I would then write the script I want in Powershell/Kixtart/AutoIT, all of which, with the right tools can be ran as an alternate user, and compiled into an EXE, so all credentials would be obfuscated (not fool-proof, but good enough for most)

    If that is along the lines of something that might work for you, and you need more details, please let me know, and I can elaborate on whichever method.

    An example of the above that I use this technique for is to allow non-admin users to be able to launch the Starship Server Manager (which isn't launchable by a regular user). Works a treat.




    ------------------------------
    George Khairallah
    CTO | gotomyerp, LLC
    george.k@gotomyerp.com | 877-888-5525
    http://gotomyerp.com/
    ------------------------------



  • 3.  RE: Remote start scheduled task without admin permissions...?

    Posted 10-23-2019 09:51
    Thanks for the reply George.

    We want the Scheduled Task to run as a specific admin account on the server, started remotely by a non-admin user.  That is the reason I'm using the PowerShell script to start a scheduled task, instead of directly triggering a set of commands.

    I have a technique to monitor for a specific file, and running steps if it is found.  That is my backup plan, since it doesn't require any user permissions beyond being able to create a file in a server share, simple, secure and easy to configure but the monitoring task must run repeatedly.  I've read PowerShell "should" be able to do what I want directly though, without such a work-around, and I'm not ready to give up yet.

    ------------------------------
    Kevin Moyes
    Technical Systems Analyst
    Munjal White Consulting Co.
    Toronto ON
    ------------------------------

    Original Message


  • 4.  RE: Remote start scheduled task without admin permissions...?

    Posted 10-23-2019 10:27
    I'm sure you probably stumbled on this thread in your research, this one would just use schtasks to trigger it remotely. His scenario seems to be the same as yours if understand you correctly ... 

    https://community.spiceworks.com/topic/960070-running-scheduled-task-remotely-via-command-prompt

    I didn't personally test it, so I'm not sure what he meant by "I set the username in the script as a local admin on the server" not sure if he's referring to the user running the task itself, or an embedded credential within the script itself. If it's the latter, you might have some security consideration to account for. 



    ------------------------------
    George Khairallah
    CTO | gotomyerp, LLC
    george.k@gotomyerp.com | 877-888-5525
    http://gotomyerp.com/
    ------------------------------

    Original Message


  • 5.  RE: Remote start scheduled task without admin permissions...?

    Posted 10-23-2019 10:45
    schtasks requires the user triggering the script be a local admin on the remote machine (server).  That is something we've used for a customer where the person wanting to trigger a process is admin on the server.

    The entire goal is to have a non-admin user trigger a process on the server.
    https://devblogs.microsoft.com/powershell/you-dont-have-to-be-an-administrator-to-run-remote-powershell-commands/

    ------------------------------
    Kevin Moyes
    Technical Systems Analyst
    Munjal White Consulting Co.
    Toronto ON
    ------------------------------

    Original Message


  • 6.  RE: Remote start scheduled task without admin permissions...?

    Posted 10-24-2019 00:36
    Does this help? Maybe if the remote user is a member of a domain non-admin group.

    ------------------------------
    Dan Burleson
    Software Consultant
    Connex Software
    Corvallis OR
    541-224-6642
    ------------------------------

    Original Message


  • 7.  RE: Remote start scheduled task without admin permissions...?

    Posted 10-24-2019 08:51
    Edited by Steve Iwanowski 10-24-2019 08:51
    I've been able to modify the task XML file ACLs in the past (https://www.mysysadmintips.com/windows/clients/576-allow-to-view-and-run-scheduled-tasks-without-admin-rights) but I think Microsoft fixed that loophole in 2012 R2 or 2016.

    You could use PowerShell to store the admin credentials under the user's login just on their PC (https://www.jaapbrasser.com/quickly-and-securely-storing-your-credentials-powershell/), so the only exposure is that user from that device, but it is a security hole.  

    I think your folder-watcher idea is probably your best bet.

    ------------------------------
    Steve Iwanowski, NextStep Technology Advisors, aka DSD Lancaster PA ¯\_(ツ)_/¯
    ------------------------------

    Original Message


  • 8.  RE: Remote start scheduled task without admin permissions...?

    Posted 10-28-2019 12:07
    Thanks to all for the ideas, but I've come to the conclusion that M$ must have tightened security within Win Server 2019, so I went with the file monitor idea... the stored admin credentials would work but seems a bit complicated to maintain for our purposes.

    If anyone comes up with a better (simple and secure) method, I'm open to further suggestions.
    REM Set up value for the batch file to use
    SET WaitFile1=E:\Accounting\_RemoteBatchFiles\TextFiles\EmpExpense_PayListAndImpFile_kmoyes.txt
    REM repeated loop, checking for the WaitFile
    :CheckForFile
    IF EXIST %WaitFile1% GOTO FoundIt1
    REM If we get here, the file is not found, so wait a number of seconds and then recheck. 300 = 5 minutes.
    TIMEOUT /T 300 >nul
    GOTO CheckForFile
    :FoundIt1
    REM File1 found, so start the batch.
    CALL E:\Accounting\VisualCut\BatchFiles\AP_EmployeeExpense-2-PaymentListAndImportFile.bat
    REM Delete WaitFile1, which is just a blank text file.
    DEL %WaitFile1%
    REM Go back to checking for the file.
    GOTO CheckForFile


    ------------------------------
    Kevin Moyes
    Technical Systems Analyst
    Munjal White Consulting Co.
    Toronto ON
    ------------------------------

    Original Message


Related Content