PowerShell - Allow non-admin users to disable/enable Tasks
I have a task that triggers every hour, and runs a powershell script. I am supposed to deploy this script along with the task on workstations, where all users are non-admin users, however, the users need to be able to Enable/Disable this script manually.
Using "Enable-ScheduledTask -TaskName "task_name"" in a separate script (START.ps1) obviously doesn't work without admin privileges. Is there any workarounds that will allow these non-admin users to enable/disable the task?
I've already tried to create the task with a non-admin user, but they still were not able to use the Enable-ScheduledTask/Disable-ScheduledTask cmdlets.
Any help will be appreciated, thanks!
I am doing this from memory.. but..
-
Give the user account (who will be running this) permissions to
C:\Windows\System32\tasks
. This is where the actual tasks are written so the user will need to be able to read/write/change there. READ SECURITY NOTE AT THE BOTTOM. -
Add that user account via the group policy editor (or domain group policy) to:
Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Log on as a batch job
Notes:
- You will find that with folders like the tasks folder, the explorer will not let you browse (even though you might be an admin and have the rights to do so). I myself use QDir as an admin to poke around where explorer.exe won't allow me to see and the problem is not based on permissions.
- Without some real creativity, you will potentially open up Pandora's box by granting these rights to ordinary users. It is possible that you can add only
BROWSE/READ
to the tasks folder for your user, pre-create the task for them, then add theCHANGE
permission for your user to the task file itself. This would be safer, will probably work but I haven't tried it. You be the guinea pig ;) - Consider using Users or better still Domain users as the account if you want to simplify all of this via automation.
Good luck!