Are UAC and schtasks utterly incompatible?
Background:Two Vista Ultimate computers on the same "MSHOME" network/workgroup: VELOCITY has UAC disabled SONYLAP has UAC enabled Both have the same administrator account name and password. Both have firewall settings to allow schtasks remotely. Both below are results from running from that same admin account on both machines.1) VELOCITY, from an elevated command prompt runs: C:\> schtasks /QUERY /S SONYLAP This fails with "Access Is Denied"2) SONYLAP, from an elevated command prompt runs: C:\> schtasks /QUERY /S VELOCITY This succeeds, with a listing of all scheduled tasks on VELOCITYIf I disable UAC on SONYLAP, and reboot it, then example #1 starts working,and example #2 continues to work.A /query would seem the simplest, safest, least restrictive thing I couldtry to do, yet it seems there is just no way to make it work with UAC turnedon for the remote computer(s). Can this be true? Is the only scenario whereschtasks can work on vista one where the administrator has UAC turned on,and EVERYONE ELSE has to have it turned off in order to use schtasks on theremote Vista machines?I've seen questions with more elaborate scenarios posted on other boards, butwith no direct answer to this seemingly fundamental question: Is it "either/or,but never both" when it comes to schtasks and UAC on Vista?Any help appreciated, TIA,WH1957
April 22nd, 2008 2:54am

Hi, Please disable the Remote UAC on the SONYLAP machine to check the result: 1. Click Start, type regedit in the Start Search box, and then click regedit.exe in the Programs list. 2. Locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system 3. On the Edit menu, point to New, and then click DWORD Value. 4. Type LocalAccountTokenFilterPolicy for the name of the DWORD, and then press ENTER. 5. Right-click LocalAccountTokenFilterPolicy, and then click Modify. 6. In the Value data box, type 1, and then click OK. 7. Exit Registry Editor. For more information about Remote UAC, please refer to the following website: http://msdn2.microsoft.com/en-us/library/aa826699.aspx Hope it helps.
Free Windows Admin Tool Kit Click here and download it now
April 24th, 2008 9:13am

Hi Joson, Thanks for your reply amd suggestion. It has resolved this issue. After applying the registry edits you suggested above, the query from VELOCITY to SONYLAP now returns a listing of scheduled tasks on SONYLAP, as was expected from the schtasks documentation. Subsequent to that, a qick and simple test in a non-priviledged account on SONYLAP indicates that UAC is still in effect and functioning, at least to the extent that I am familiar with, which is also what I had wanted. I am too tired, at the moment, to review the link you provided, but I will do so after a good night's sleep. I will be most interested in understanding what, if any, security exposures might have been opened up by this registry edit. I.e., whether there is any reason I shouldn't make this registry edit a standard configuration on both (and any future) Vista machines under my control, and whether whether any such a conclusions would differ between a home and work environment Again, your suggestion/solution is much appreciated.Thanks,wh1957P.S. Since I cross-posted this question to the security group, I will cross-post your answer thereas well.
April 24th, 2008 10:45am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics