Hi,
I’m trying to allow a non-admin user to run a scheduled task via PS, without giving out more permissions than required.
So far, i have given the user Read+Execute rights on the task file located in C:\Windows\System32\Tasks. This allowed the user to see and run the task in the GUI and Start-ScheduledTask -TaskName “taskname” locally via RDP. But when i try to do the same PS command via invoke command from a workstation, it fails.
How can i get this working without delegating unnecessary permissions?
I forgot to mention that i had added the user to the Remote Management Users group, and testet that Invoke-Command servername {hostname} works.
I have had some progress in my testing. My solution works for me, but i’d like to know why it behaves like this…
# This works.
Invoke-Command -ComputerName servername -ScriptBlock {schtasks /run /tn "taskname"}
# This doesn't.
Invoke-Command -ComputerName servername -ScriptBlock {Start-ScheduledTask -TaskName "taskname"}
What error message do you get?
Cannot connect to CIM server. Access denied
+ CategoryInfo : ResourceUnavailable: (PS_ScheduledTask:String) [Start-ScheduledTask], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Start-ScheduledTask
+ PSComputerName : servername
Let me add that the user is a part of the “Protected Users” group.