Domain Controller Aware Task Scheduler

In this post we'll discuss running scheduled tasks in a Domain Controller environment. Advanced Task Scheduler can be installed on a Domain Controller, Active Directory, domain or member.

The tasks on the current user's tab run mostly the same everywhere, however, "All Users" tasks may seem more complicated, so we'll focus on them here. Advanced Task Scheduler Service needs to be installed to run "All Users" tasks. The service may run under the system account, or under an administrator account. You may wish to run the service as an administrator if your tasks require network resources, or you want to store log file on a remote machine (see questions 11 and 12 in the FAQ).

You should change service account in Administrative Tools:

• Open Control Panel, double-click Administrative Tools, and then double-click Services.
• Double click Advanced Task Scheduler Service and specify user account on the Log On tab of the Service Properties window.

Another point of interest is the user account under which you wish to run your task. You can change user account for any task on the "User Account Options" tab of the Task Properties window. A task can run as:

• "Active user" - the user who is logged on and active at the moment when the task is being started.
• "Service user" - account of Advanced Task Scheduler Service (system account or an administrator account configured as described above).
• "Specified user" - an alternative user account for the task. You may wish to specify an alternative user account for a task if you execute an external application and that application was installed and configured for that user.

Finally, if you wish to run your task on the hidden desktop, or to use "Specified user" on the "User Account Options" tab of the Task Properties window, then you may need to enable some additional privileges for the user under which the Advanced Task Scheduler Service is running. If your task does not start due to insufficient privileges, the required privileges will be listed in the "Execution Log" tab of the Task Properties window. In general, these privileges are:

• "Act as part of the operating system" (SeTcbPrivilege),
• "Replace a process-level token" (SeAssignPrimaryTokenPrivilege),
• "Adjust memory quotas for a process" (SeIncreaseQuotaPrivilege, may be named "Increase memory quotas" or "Increase quotas" in Windows 2000 and NT 4.0),
• "Bypass traverse checking" (SeChangeNotifyPrivilege),
• and "Debug programs" (SeDebugPrivilege).

You should enable them in Domain Controller Security Policy:

• Open Control Panel, double-click Administrative Tools, and then double-click Domain Controller Security Policy.
• In the console tree, click User Rights Assignment in the GroupPolicyObjectName [DomainControllerName] Policy/Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment
• Select the required privilege and click Add User or Group.

In conclusion, if you need a "Domain Controller Aware" task scheduler, please feel free to download and try Advanced Task Scheduler.

References
User Account Options

Categories: Task scheduler