New-ScheduledTaskTrigger -AtLogon - how to specify "Any user" ?

I'm getting errors when trying to create a Scheduled Task like this:

Function CreateAndRegisterTask {
    Param ($taskname, $taskpath, $taskaction)    
    $trigger = New-ScheduledTaskTrigger -AtLogon -User "Any user"
   #$("$domain\$username") <-- works if user specified
    $action = New-ScheduledTaskAction -Execute $taskaction
    Register-ScheduledTask -TaskName $taskname -TaskPath $taskpath 
   -Description $taskname -Trigger $trigger -Action $action
}

According to the documentation I've read there's supposed to be a way to specify 'Any user'.  Has anyone been successful creating a task with a trigger of Log on of 'Any User'?

I've tried -User $null and leaving the switch out altogether - doesn't work.  The syntax is supposed to be:

New-ScheduledTaskTrigger [-AtLogOn] [-RandomDelay <TimeSpan> ] [-User <String> ] [ <CommonParameters>]

more info...

New-ScheduledTaskTrigger

LogonTrigger.UserId property (here is says null is 'Any user')
msdn.microsoft.com/en-us/library/windows/desktop/aa381910%28v=vs.85%29.aspx

Task Scheduler Scripting Objects
technet.microsoft.com/en-us/library/cc748841.aspx

Scheduled Tasks Cmdlets in Windows PowerShell
technet.microsoft.com/en-us/library/jj649816(v=wps.630).aspx

May 29th, 2015 3:22pm

Simple.  Don't specify a user:

$trigger = New-ScheduledTaskTrigger -AtLogon

OR -

$trigger = New-ScheduledTaskTrigger -AtLogon -User *

Free Windows Admin Tool Kit Click here and download it now
May 29th, 2015 4:21pm

howdy jrv and thanks for the reply.

I had not tried an asterisk (does not work) but I had tried just '-AtLogon' which should work from what I've read.  I've even tried running the script as admin, and relaxed prems on c:\windows\tasks.  Same results...

Register-ScheduledTask : Access is denied.
+ Register-ScheduledTask -TaskName $taskname -TaskPath $taskpath -Descript ...
+ ~~~~~~~~~~~~~~~~
    + CategoryInfo : PermissionDenied: (PS_ScheduledTask:Root/Microsoft/...S_ScheduledTask) [Register-ScheduledTask], Cim 
   Exception
    + FullyQualifiedErrorId : HRESULT 0x80070005,Register-ScheduledTask

May 29th, 2015 5:06pm

Not the same issue.

Free Windows Admin Tool Kit Click here and download it now
May 29th, 2015 5:12pm

THis works absolutely fine for me.

Try it to see how it works:

PS C:\scripts>     $trigger = New-ScheduledTaskTrigger -AtLogon
PS C:\scripts>     $action = New-ScheduledTaskAction -Execute {dir c:\}
PS C:\scripts> Register-ScheduledTask -TaskName 'MyTest' -Description 'test task' -Trigger $trigger -Action $action

TaskPath                                       TaskName                          State
--------                                       --------                          -----
\                                              MyTest                            Ready

May 29th, 2015 5:20pm
same result: Access Denied.  I tried running it on another (win 8.1) comp.  same result.  if I add this one thing: -User "$domain\$username" it works fine.  I'd guess the c:\windows\tasks folder were buttered, but on both comps?  also tried different UAC settings. same result. I think I'll just work around it...
Free Windows Admin Tool Kit Click here and download it now
May 29th, 2015 6:00pm

You can only create tasks like that if you are an administrator.

May 29th, 2015 7:10pm

my domain account is in the local admin's group. but if I test with this:

If (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) {
Write-Host 'not_local_admin'
}

it tells me I'm not_local_admin

I'm wondering if that code is a valid test...  how to tell if admin token is being filtered out?

Free Windows Admin Tool Kit Click here and download it now
May 29th, 2015 7:50pm

You have to run as an administrator.  Windows does not allow you to automatically be an admin.  You have to ask for it when needed.  It is called UAC.

May 29th, 2015 8:15pm

The easiest way to check you tokens is this:

whoami /priv

Free Windows Admin Tool Kit Click here and download it now
May 29th, 2015 8:17pm

with my domain login:

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

logged in as local admin:

Privilege Name                  Description                               State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Disabled
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege         Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
SeTimeZonePrivilege             Change the time zone                      Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled

big discrepancy.  urban legend has it that domain users will acquire local admin privs if placed in the local admins group. is this not the case?  if you can point me in the right direction here that would certainly help...

Specifically, what privs are needed for Scheduled Task creation?

  • Edited by jott220 6 hours 38 minutes ago
May 29th, 2015 8:29pm

with my domain login:

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

logged in as local admin:

Privilege Name                  Description                               State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Disabled
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege         Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
SeTimeZonePrivilege             Change the time zone                      Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled

big discrepancy.  urban legend has it that domain users will acquire local admin privs if placed in the local admins group. is this not the case?  if you can point me in the right direction here that would certainly help...

Specifically, what privs are needed for Scheduled Task creation?

  • Edited by jott220 6 hours 31 minutes ago
Free Windows Admin Tool Kit Click here and download it now
May 29th, 2015 8:37pm

You are under UAC.  You need to Run As an Administrator.  You are not running the script as an administrator you are running it stock.

Right click on PowerShell and select "Run As Administrator" then run your script.  It will work.

Note that these are privileges that define an administrator:

SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

Note that most are disabled.  Yu can enable them by running as an administrator.  This has been true in Windows since Windows Vista which was 10 years ago.

May 29th, 2015 8:43pm

I see... seems we're stuck with UAC like a bad habit.  Of course, Right-clicking is not an option for this particular script.  I tried some self-elevating code in the script but I'm not sure I've got it right.  Is there any best practices you can point me to for elevating ps scripts?

thanks for your help on this.

Free Windows Admin Tool Kit Click here and download it now
May 29th, 2015 8:52pm

Yes.  I can point you at a dozen articles that explain why it is not possible.  You can create code that will prompt for elevation but it is not possible to bypass it.  Besides.  There is no reason to do that.

If you want to automatically install this scheduled task on many machines use Group Policy.  It can define your task across a domain.  That is how we manage modern Windows.    You need to catch up to 21st centurt dmministration. Most oof the ld methods are obsolete and are slowly being disabled or removed.

By the way.  This is also true on most secure Unix systems today.

May 29th, 2015 8:59pm

with my domain login:

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

logged in as local admin:

Privilege Name                  Description                               State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Disabled
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege         Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
SeTimeZonePrivilege             Change the time zone                      Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled

big discrepancy.  urban legend has it that domain users will acquire local admin privs if placed in the local admins group. is this not the case?  if you can point me in the right direction here that would certainly help...

Specifically, what privs are needed for Scheduled Task creation?

  • Edited by jott220 Saturday, May 30, 2015 12:30 AM
Free Windows Admin Tool Kit Click here and download it now
May 30th, 2015 12:28am

with my domain login:

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

logged in as local admin:

Privilege Name                  Description                               State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Disabled
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege         Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
SeTimeZonePrivilege             Change the time zone                      Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled

big discrepancy.  urban legend has it that domain users will acquire local admin privs if placed in the local admins group. is this not the case?  if you can point me in the right direction here that would certainly help...

Specifically, what privs are needed for Scheduled Task creation?

  • Edited by jott220 Saturday, May 30, 2015 12:30 AM
May 30th, 2015 12:28am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics