Administrator doesn't have permission/rights to run tasks !?

[Guest]

Hello everyone,

I'm trying to run a simple task. I'd like Vista's "task scheduler" to
periodically run a .bat file that I made which goes to the following two
directories and deletes the IE7 cookies that are stored there.

C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low
C:\Users\<usersname>\AppData\Roaming\Microsoft\Windows\Cookies

However, I am told that I do not have permission to access these
directories. How can that be, since administrators should have access to all
files and directories on the computer. The other error that I get is that
"task scheduler" tells me that I do not have the "batch rights" to save this
task.

Any insight into this would be a big help.

Paul

 

[Mike Brannigan]

Hello everyone,

I'm trying to run a simple task. I'd like Vista's "task scheduler" to
periodically run a .bat file that I made which goes to the following two
directories and deletes the IE7 cookies that are stored there.

C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low
C:\Users\<usersname>\AppData\Roaming\Microsoft\Windows\Cookies

However, I am told that I do not have permission to access these
directories. How can that be, since administrators should have access to
all
files and directories on the computer. The other error that I get is that
"task scheduler" tells me that I do not have the "batch rights" to save
this
task.

Any insight into this would be a big help.

Paul

Because even thought you may have created an account that is a member of the
administrators group even you installed Windows Vista that account is
subject to UAC (User Account Control) and thus protected from doing certain
tasks without reconfirming etc.
This includes the ability to access al files and folders on the system by
default. If you need access to certain files and folders then you may need
to grant that account access and the appropriate permissions to them.
The same is true of certain privileges (rights) within the system.

As a member of the administrators group you can use the appropriate tools to
grant these rights and permissions to yourself.
Windows Vista is just a little more secure by default to prevent people who
think they are admins from making mistake.
If you are an experienced and competent administrator then just use the
tools to grant yourself what you need.

 

[Guest]

But...

I was trying to share a mounted drive (Z so that the UNC path indexer
works and created a batch file to do it for me.

However, even though I am a member of the admin group AND have set my
individual perms to FULL control on Z I get "access denied err 5" - I do not
get a UAC or other prompt for a confirmation password.

If however I "run as admiistrator" "CMD" - say OK to UAC and then run the
batch file it is fine.

This seems inconsistent to me (and if there's one inconsistency it would not
be inconsistent with Murphy's laws for there to be more...)

Thoughts?

 

[mikeyhsd]

there is a way to run COMMAND with elevated prompt and then allow you to include the batch file name.
do not know what the switch is for the elevated prompt.
maybe someone can pitch in.



(e-mail address removed)



Hello everyone,

I'm trying to run a simple task. I'd like Vista's "task scheduler" to
periodically run a .bat file that I made which goes to the following two
directories and deletes the IE7 cookies that are stored there.

C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low
C:\Users\<usersname>\AppData\Roaming\Microsoft\Windows\Cookies

However, I am told that I do not have permission to access these
directories. How can that be, since administrators should have access to all
files and directories on the computer. The other error that I get is that
"task scheduler" tells me that I do not have the "batch rights" to save this
task.

Any insight into this would be a big help.

Paul

 

[Jimmy Brush]

Hello everyone,

I'm trying to run a simple task. I'd like Vista's "task scheduler" to
periodically run a .bat file that I made which goes to the following two
directories and deletes the IE7 cookies that are stored there.

C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low
C:\Users\<usersname>\AppData\Roaming\Microsoft\Windows\Cookies

However, I am told that I do not have permission to access these
directories. How can that be, since administrators should have access to all
files and directories on the computer. The other error that I get is that
"task scheduler" tells me that I do not have the "batch rights" to save this
task.

Any insight into this would be a big help.

Paul

Hello,

In Windows Vista, even though you are an administrator, only programs
that ask for your permission ("Windows needs your permission to
continue") are allowed to use your admin rights.

This isn't meant to protect you from yourself; rather, this prevents
programs that you do not start from using your admin power.

If you need a program you are starting from task scheduler to run with
admin rights, you will need to run the task with 'highest privilege' by
checking the appropriate box, or running it in the context of a system
account.

At what time do you receive the batch rights / access denied errors?

 

[Guest]

Hi Jimmy,

In my case the access denied occurs on the Net Share command.

I appreciate the protection from things running things without my permission
but

1. I have runas in the batchfile and I must give it my password - that
should be enough
2. Even though it clearly isn't enough, when it gets to the Net Share, why
don't I get a UAC prompt? why does it just go ahead - and fail?

[I run with Admin rights all the time now as it makes no difference to UAC
for the reasons you outline but at least I can click to continue rather than
having to enter a password each time]

[Incidentally, when I accidentally "ranas" with the wrong user account
("Admin" instead of my username, but obviously an account with Admin rights)
I also got an access denied on running SyncToy (the next line in the batch
file) because it was Julian's app - I think - it doesn't make any sense to me
to block things like this]

I hope someone can answer mikeyhsd's Q about an appropriate switch for COMMAND

Thanks

 

[Jimmy Brush]

Hi Jimmy,

In my case the access denied occurs on the Net Share command.

I appreciate the protection from things running things without my permission
but

1. I have runas in the batchfile and I must give it my password - that
should be enough
2. Even though it clearly isn't enough, when it gets to the Net Share, why
don't I get a UAC prompt? why does it just go ahead - and fail?

[I run with Admin rights all the time now as it makes no difference to UAC
for the reasons you outline but at least I can click to continue rather than
having to enter a password each time]

[Incidentally, when I accidentally "ranas" with the wrong user account
("Admin" instead of my username, but obviously an account with Admin rights)
I also got an access denied on running SyncToy (the next line in the batch
file) because it was Julian's app - I think - it doesn't make any sense to me
to block things like this]

I hope someone can answer mikeyhsd's Q about an appropriate switch for COMMAND

Thanks

I am confused - are you or are you not starting the batch file from task
scheduler?

There's no need to use runas when you're using task scheduler - you can
specify using task scheduler what user to run the batch file under - and
by checking the highest privilege box, it will allow the file to use the
admin power.

The reason entering a password into runas isn't good enough for
elevation is because other programs can run this command on your behalf
without your knowledge. The UAC prompt ensures that you are actually the
one performing the action, in such a way that programs can't fake.

The reason task scheduler can do this but runas cant is because task
scheduler is only accessible to administrator programs that have already
prompted, while runas can be used by any program.

Unfortunately, command-line programs don't prompt for admin power
on-demand when they are run (which would make this scenario possible).
They must be ran from a command prompt that you have started with admin
power by right-clicking it and clicking run as administrator. But even
in that case, runas wont work like you want it to (and I don't have a
good reason why this happens, either; one would think it would).

I'm not exactly sure why it was designed that way.

Using runas to run a program under a different account does not elevate
the program to administrator status, even if the user is an
administrator, nor is there any way to cause it to prompt for elevation
that I am aware of.

I highly recommend not using runas for this purpose and instead use the
task scheduler to run the batch file in the context of the account you want.

However, if you must have runas work as you expect it to, you can enable
the built-in administrator account from an elevated command prompt (net
user administrator /active:yes) and then set its password to something.

If you use the runas command to run something in the context of the
built-in administrator account, that program *will* have admin power and
it *will not prompt for permission*.

While this makes things easier, it is less secure than using the task
scheduler, because 1) the admin password is stored in plaintext and 2)
the access permissions on your batch files are less strict than the ones
on the task scheduler, unless you manually modify them.

 

[Jimmy Brush]

The reason entering a password into runas isn't good enough for
elevation is because other programs can run this command on your behalf
without your knowledge. The UAC prompt ensures that you are actually the
one performing the action, in such a way that programs can't fake.

Actually, after thinking about it some more, it is probably more to keep
your password secure from other programs that to keep other programs
from using your password.

It would be different if runas was hooked into UAC to allow it to
securely ask for the info, but then it would have a dependency on UAC,
which wouldnt work for the people who turn it off.

 

[Guest]

Sorry for any confusion - my issue is related to but different from the
original post - I wasn't claear enough about that: this has nothing to do
with the task scheduler.

Must confess I didn't understand the point that

The reason entering a password into runas isn't good enough for
elevation is because other programs can run this command on your behalf
without your knowledge.

because I hadn't found a way to pass a password into runas - I don't find a
parameter for that so I can't see how another program could run something on
my behalf (and where would it get the password from??)

I am very tempted to join the "UAC OFF Club" - after three months now I am
heartily sick of jumping through hoops. I read the technique (was it yours?)
for using scheduler to get UAC-causing tasks to run without UAC prompts at
startup but it seems that to make a Microsoft omelette breaking the eggs is
just not good enough - they have to be painstakingly disassembled according
to some obscure specification.

Thanks for the feedback though - it was illuminating...

Julian

Hi Jimmy,

In my case the access denied occurs on the Net Share command.

I appreciate the protection from things running things without my permission
but

1. I have runas in the batchfile and I must give it my password - that
should be enough
2. Even though it clearly isn't enough, when it gets to the Net Share, why
don't I get a UAC prompt? why does it just go ahead - and fail?

[I run with Admin rights all the time now as it makes no difference to UAC
for the reasons you outline but at least I can click to continue rather than
having to enter a password each time]

[Incidentally, when I accidentally "ranas" with the wrong user account
("Admin" instead of my username, but obviously an account with Admin rights)
I also got an access denied on running SyncToy (the next line in the batch
file) because it was Julian's app - I think - it doesn't make any sense to me
to block things like this]

I hope someone can answer mikeyhsd's Q about an appropriate switch for COMMAND

Thanks

I am confused - are you or are you not starting the batch file from task
scheduler?

There's no need to use runas when you're using task scheduler - you can
specify using task scheduler what user to run the batch file under - and
by checking the highest privilege box, it will allow the file to use the
admin power.

The reason entering a password into runas isn't good enough for
elevation is because other programs can run this command on your behalf
without your knowledge. The UAC prompt ensures that you are actually the
one performing the action, in such a way that programs can't fake.

The reason task scheduler can do this but runas cant is because task
scheduler is only accessible to administrator programs that have already
prompted, while runas can be used by any program.

Unfortunately, command-line programs don't prompt for admin power
on-demand when they are run (which would make this scenario possible).
They must be ran from a command prompt that you have started with admin
power by right-clicking it and clicking run as administrator. But even
in that case, runas wont work like you want it to (and I don't have a
good reason why this happens, either; one would think it would).

I'm not exactly sure why it was designed that way.

Using runas to run a program under a different account does not elevate
the program to administrator status, even if the user is an
administrator, nor is there any way to cause it to prompt for elevation
that I am aware of.

I highly recommend not using runas for this purpose and instead use the
task scheduler to run the batch file in the context of the account you want.

However, if you must have runas work as you expect it to, you can enable
the built-in administrator account from an elevated command prompt (net
user administrator /active:yes) and then set its password to something.

If you use the runas command to run something in the context of the
built-in administrator account, that program *will* have admin power and
it *will not prompt for permission*.

While this makes things easier, it is less secure than using the task
scheduler, because 1) the admin password is stored in plaintext and 2)
the access permissions on your batch files are less strict than the ones
on the task scheduler, unless you manually modify them.

 

[Jimmy Brush]

Sorry for any confusion - my issue is related to but different from the
original post - I wasn't claear enough about that: this has nothing to do
with the task scheduler.

Must confess I didn't understand the point that

The reason entering a password into runas isn't good enough for
elevation is because other programs can run this command on your behalf
without your knowledge.

because I hadn't found a way to pass a password into runas - I don't find a
parameter for that so I can't see how another program could run something on
my behalf (and where would it get the password from??)

I am very tempted to join the "UAC OFF Club" - after three months now I am
heartily sick of jumping through hoops. I read the technique (was it yours?)
for using scheduler to get UAC-causing tasks to run without UAC prompts at
startup but it seems that to make a Microsoft omelette breaking the eggs is
just not good enough - they have to be painstakingly disassembled according
to some obscure specification.

Thanks for the feedback though - it was illuminating...

Julian

Hi Jimmy,

In my case the access denied occurs on the Net Share command.

I appreciate the protection from things running things without my permission
but

1. I have runas in the batchfile and I must give it my password - that
should be enough
2. Even though it clearly isn't enough, when it gets to the Net Share, why
don't I get a UAC prompt? why does it just go ahead - and fail?

[I run with Admin rights all the time now as it makes no difference to UAC
for the reasons you outline but at least I can click to continue rather than
having to enter a password each time]

[Incidentally, when I accidentally "ranas" with the wrong user account
("Admin" instead of my username, but obviously an account with Admin rights)
I also got an access denied on running SyncToy (the next line in the batch
file) because it was Julian's app - I think - it doesn't make any sense to me
to block things like this]

I hope someone can answer mikeyhsd's Q about an appropriate switch for COMMAND

Thanks

I am confused - are you or are you not starting the batch file from task
scheduler?

There's no need to use runas when you're using task scheduler - you can
specify using task scheduler what user to run the batch file under - and
by checking the highest privilege box, it will allow the file to use the
admin power.

The reason entering a password into runas isn't good enough for
elevation is because other programs can run this command on your behalf
without your knowledge. The UAC prompt ensures that you are actually the
one performing the action, in such a way that programs can't fake.

The reason task scheduler can do this but runas cant is because task
scheduler is only accessible to administrator programs that have already
prompted, while runas can be used by any program.

Unfortunately, command-line programs don't prompt for admin power
on-demand when they are run (which would make this scenario possible).
They must be ran from a command prompt that you have started with admin
power by right-clicking it and clicking run as administrator. But even
in that case, runas wont work like you want it to (and I don't have a
good reason why this happens, either; one would think it would).

I'm not exactly sure why it was designed that way.

Using runas to run a program under a different account does not elevate
the program to administrator status, even if the user is an
administrator, nor is there any way to cause it to prompt for elevation
that I am aware of.

I highly recommend not using runas for this purpose and instead use the
task scheduler to run the batch file in the context of the account you want.

However, if you must have runas work as you expect it to, you can enable
the built-in administrator account from an elevated command prompt (net
user administrator /active:yes) and then set its password to something.

If you use the runas command to run something in the context of the
built-in administrator account, that program *will* have admin power and
it *will not prompt for permission*.

While this makes things easier, it is less secure than using the task
scheduler, because 1) the admin password is stored in plaintext and 2)
the access permissions on your batch files are less strict than the ones
on the task scheduler, unless you manually modify them.

Windows Vista is a big change from XP, which will inevitably require
learning new ways of doing the same thing.

We can only hope that there will be some benefit as a result of changing
over. I am convinced there is.

 

[Guest]

Thanks for your reply, Jim.

I get the "batch rights" message when I try to make changes to the task.
It says you need these rights in order to save those changes.

I actually did try checking the "run with highest priveleges" box. Nothing
changed.

Paul
___________________________________

 

[Guest]

'Competent and experienced administrator' ? Not really. I am setting up a
new computer for my parents to use. I am trying to set up this automated
task so that my parents don't have to bother with this. I have never used
Vista before and I have never been an administrator before. Up until now I
have been using Win98.
_________________________________

 

[Jimmy Brush]

Hmm...

So, you get the error from the task scheduler interface itself when
trying to change the properties of the task?

Do you get the error after entering your username and password after
clicking OK?

If yes to both, try telling the program to run in the context of a
system account -> Click change user or group, type system, press enter.

Can you change any of the attributes of the task, or do you only get the
message when changing certain properties?

Are you an administrator?

If you are an administrator, could you do this:

- Click start
- Type: command prompt
- Right-click command prompt when it appears
- Click Run As Administrator
- Type: whoami /all
- Paste the results of this command into a reply

 

[Jimmy Brush]

If you are an administrator, could you do this:

- Click start
- Type: command prompt
- Right-click command prompt when it appears
- Click Run As Administrator
- Type: whoami /all
- Paste the results of this command into a reply

I am only interested in the "privileges information" section

 

[Guest]

Hello Jimmy,

Sorry for the late reply; I was out of town for a few days.

To answer your question. I do get the error after typing the admin password
and clicking "OK". It looks like it doesn't like one of the settings.

I tried your other suggestion and changed the user to "SYSTEM" in the task
properties. According to the event viewer, the tasks ran successfully.
However, the cookies were not deleted ! Here is what the event viewer said:

"Task Scheduler successfully finished
"{D4AC8E70-A4F4-409F-9912-E4B1EC320E35}" instance of the
"\Paul'sTasks\PPADeleteCookies" task for user "WORKGROUP\PARENTSPC$"."

I also typed "whoami /all" in the command window. There were 23 items in
the "priveleges information" section, all of them were disabled. I couldn't
do a copy&paste.
_______________________________

 

[Ronnie Vernon MVP]

Paul

Just a quick tip.

To copy the text in the command window, click the small icon at the top/left
of the command window. This will reveal a menu. Click Edit / Select All and
then press ENTER. This will copy all of the text in the window to the
clipboard.

Open an instance of Notepad and Right Click / Paste. You can then edit the
text to focus on the info you need and then copy/paste the results into your
newsgroup reply.

 

[Jimmy Brush]

Try changing the "command to execute" for the task to:

c:\windows\system32\cmd.exe /E:ON /C "c:\path\to\file\file.bat"

 

[Guest]

It works now, thanks Jimmy.

Paul

â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•

 

[Jimmy Brush]

It works now, thanks Jimmy.

Paul

â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•

Glad you got it working

 

[Soul Always Sings]

Paul, when I go to Systems, I am not even listed as "administrator", even
though in the Control Panel I am listed as the administrator. Every since my
computer was repaired, someone named 'v' is the administrator, and there
seems to be
nothing I can do to change 'v' to my name. I even bought and ran the RegCure
program which made a scan of everything in my computer and found about one
million errors! So I am really perplexed! How can I get rid of Mr. 'v' as
the administrator of MY computer?