Run deligated scheduled task on remote server via PS without admin rights

sponsen · November 3, 2017, 5:57am

Hi,

I’m trying to allow a non-admin user to run a scheduled task via PS, without giving out more permissions than required.
So far, i have given the user Read+Execute rights on the task file located in C:\Windows\System32\Tasks. This allowed the user to see and run the task in the GUI and Start-ScheduledTask -TaskName “taskname” locally via RDP. But when i try to do the same PS command via invoke command from a workstation, it fails.

How can i get this working without delegating unnecessary permissions?

sanchez · November 3, 2017, 6:29am

https://4sysops.com/archives/powershell-remoting-without-administrator-rights/

sponsen · November 3, 2017, 7:34am

I forgot to mention that i had added the user to the Remote Management Users group, and testet that Invoke-Command servername {hostname} works.

sponsen · November 3, 2017, 7:55am

I have had some progress in my testing. My solution works for me, but i’d like to know why it behaves like this…

# This works.
Invoke-Command -ComputerName servername -ScriptBlock {schtasks /run /tn "taskname"}

# This doesn't.
Invoke-Command -ComputerName servername -ScriptBlock {Start-ScheduledTask -TaskName "taskname"}

sanchez · November 3, 2017, 8:26am

What error message do you get?

sponsen · November 3, 2017, 8:33am

Cannot connect to CIM server. Access denied
    + CategoryInfo          : ResourceUnavailable: (PS_ScheduledTask:String) [Start-ScheduledTask], CimJobException
    + FullyQualifiedErrorId : CimJob_BrokenCimSession,Start-ScheduledTask
    + PSComputerName        : servername

Let me add that the user is a part of the “Protected Users” group.