Minimal rights to connect remotely to a taskscheduler service

Topics: Errors
Feb 27, 2014 at 7:36 AM
Hi,

What are the minimal rights to connect remotely to a taskscheduler service on another server?
Code used:
            using (TaskService ts = new TaskService ("\\servername", "account", "domain", "password"))
            {
                Task t = ts.GetTask("MyTask");
                t.Run();
            }
The "account" is a valid account on our domain.
If the "account" is member of the local administrator group on the remote server, it works. The code can connect and run successfully the task.
But I don't want to put this account in the local administrator group on the remote server!

If I give the account only the right "Log on as batch job", I get
System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
at Microsoft.Win32.TaskScheduler.V2Interop.TaskSchedulerClass.Connect(Object serverName, Object user, Object domain, Object password)
at Microsoft.Win32.TaskScheduler.TaskService.Connect()

In the Event Viewer I see a successful logon of the account and directly a logoff, probably because of the error.
(when the account is in the admin group, I see only a successful logon in the Event Viewer)
  1. Some mentioned on the internet to add read and execute rights for the used account on the c:\windows\system32\tasks folder ==> Like I thought already
    didn't work, the error appears on the first line of the code when trying to connect, before trying to execute a task.
  2. Because of the word "Interop" in the error stack, I thought at a COM security problem, so I added the account to the COM security tab in the two sections
    (run dcomcnfg, right-click on My Computer, take tab COM Security, add the account to Access Permissions and to Launch and Activation Permissions)
    ==> didn't work.
The windows firewall is disabled on the remote server, so it can't play a role here.

Any thoughts about this?
Is adding the account to the local administrator group the only way to connect remotely to the taskscheduler service?
Nov 24, 2014 at 4:27 PM
Anyone been able to solve this?

I'm looking to do the exact same thing, run a predefined task, remotely, as as user with bare minimum permissions as possible.

I've successfully run the task programmatically as a user with administration privileges, however I'm having trouble with a stripped down account.

Kind Regards,

Liam Flanagan
Coordinator
Dec 1, 2014 at 2:14 PM
In theory, you need to connect to the remote server using the TaskService constructor and supply credentials that have Administrator rights. Of course to get this far, you will have to have all the firewall and rights specified at https://taskscheduler.codeplex.com/wikipage?title=TaskSecurity. Once connected, you can then create the task and register it as the account under which you want it to run. You will have to register the task using the username and password of the intended account and then use the TaskLogonType.Password.
Marked as answer by dahall on 9/1/2015 at 10:04 AM