Score:0

Service Account Permissions for Task Scheduler READ

cn flag

I have a PowerShell script I've written to do a comparison of Scheduled Tasks between two nodes of our application server cluster. It uses this code to query the tasks from a given server...

function getTasks($server) {
    return Get-ScheduledTask -CimSession $server | 
        Where-Object TaskPath -like '*OurFolder*' | 
        ForEach-Object {
            [pscustomobject]@{ 
                Server = $server
                Path = $_.TaskPath
                Name = $_.TaskName
                Disabled = ($_.State -eq 'Disabled')
                Command = $_.Actions.Execute
                Arguments = $_.Actions.Arguments
                Interval = $_.Triggers.RepetitionInterval
                HashId = "$($_.Actions.Execute)|$($_.Actions.Arguments)"
                HashFull = "$($_.TaskPath)|$($_.TaskName)|$($_.Actions.Execute)|$($_.Actions.Arguments)|$(($_.State -eq 'Disabled'))"
            }
        }
}

It works perfect when run under my domain admin account.

However when I try to run it under our service account as a scheduled task, it gets this error when trying to query the scheduled tasks on the other node ...

Get-ScheduledTask : SERVER.domain.local: Cannot connect to CIM server. Access is denied.
At F:\Applications\TaskSchedulerNodeCompare\compare-nodes.ps1:9 char:12
+     return Get-ScheduledTask -CimSession $server |
+            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
    + FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-ScheduledTask

Googling and looking around it LOOKS like the only way to allow an account to access this list would be to add them to the LocalAdmins on the server in question? But it really doesn't feel right to have to make our service account as a local admin, and obviously we don't want to have the task run under my domain admin account.

I've tried solution no. 3 here, which sounds like it would be it...

1.  As an Administrator of the server, go to Server Manager -> Tools -> Computer Management.  On the left expand "Services and Applications" and right click "WMI Control".  Go to "Properties".
2.  In the newly open Window, click on Security tab.
3.  Expand Root tree, and then click on the node CIMV2, and click the button security
4.  In the newly open Window, click the button Advanced.
5.  In the newly open Window, click the button Add under the permission tab.
6.  In the newly open Window, click on “select a principal", then search for the user you that was having the problem.  
7.  In the applies to, choose “this namespace and subnamespace".
8.  For the permission, check on “Execute Methods", “Enable Accounts" and “Remote Enable"
9.  Click accept on all the open dialogue boxes
10. Restart WMI services.  As an Admininstrator of the server, go to Server Manager -> Tools -> Computer Management.  On the left expand "Services and Applications" and click on "Services".  Go to "Windows Management Instrumentation" and right click it.  Then choose "Restart".
11. Try the command again. The above directions were adapted from this StackOverflow posting.

but even after doing all those steps, it still won't work.

How can I allow our service account to query (read-only) the scheduled tasks from our servers, while being as security conscious as possible?

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.