Task Scheduler on Windows Server 2022 - prevent non-adminstrators to create or modify any task

Question

OS: Windows Server 2022, 21H2 OS Build 20348.2402

Application: Task Scheduler

Issue: Non-administrators can run the application, create their own tasks, run them and delete them. Some tasks were created with GPO settings connected with a logged user, not by the user himself.

Goal: Non-admistrator users cannot even open the application, or they can open it but have no right to create or edit any task. Any GPO settings cannot cause a creation of a new scheduled task when a logged user is not a member of the group Administrators.

Unsuccessful attempt to solve the problem:

MMC console > new snap-in "Group Policy Object Editor" (Group Policy Object=Local Computer, Users=Non-administrators)

Left menu of MMC console User Configuration > Administrative Templates > Windows Components > Task Scheduler

• Prohibit browse
• Prevent Task Run or End
• Prohibit New Task Creation
• Prohibit Task Deletion

Settings of these options were changed from "Not Configured" to "Enabled", then a command "gpupdate /force" was run in the elevated command prompt with success.

All these settings were marked with a condition "Requirements: Windows Server 2003, Windows XP, and Windows 2000 only."

Despite configuring GPO as mentioned above, the issue was not solved. It was tested on a member of the group "Remote Desktop Users", who is not a member of the group "Administrators". He could still create a new task in Task Scheduler, however he could not see other task that could be seen by an administrator.

Restrictions for the solution: the solution should not involve modifying the system registries

Answer 1

Hello,

How about modifying the built-in security permissions of the Task Scheduler service?

Remove all non-administrative groups/users or deny the "Write" permission specifically. Ensure "SYSTEM", "Administrators", and necessary system accounts retain full control.

Regards,

Karlie

Answer 2

Hi Karlie,

nice of you that you've tried to help me. However I cannot set permissions in list of Services for Task Scheduler service:

In case you mean I should edit properties of executable, I have a problem, because Task Scheduler´s shortcut in Administrative Tools does not point to any executables, unlike other shortcuts:

The executable for Task Scheduler was located in folder %windir%\system32\taskschd.msc on Windows Server 2019 , and it is on Windows Server 2022 at the same location. Howerver even logged as a member of Administrators group, I cannot modify Users permission on that executable:

Do you have any idea how to achieve restriction settings on Task Scheduler in Win Server 2022?

Regards

Leos

Answer 3

Hi there,

I'm uncertain whether this might lead to any complications with system updates. We could try it out in a test environment. Alternatively, utilizing either the built-in admin account or admin user groups might also work. I opted for the domain admin account since I was logged in with it, though I haven't tried with the other option.

Answer 4

Hello,

I found the same situation on my server 2022, I suppose this is because the owner of the taskschd.msc is TrustedInstaller, after I changed the owner to Domian Admin, now I can modify the permission:

Regards,

Karlie

Answer 5

Hello Karlie, this sounds good, but I am careful about changing default owner just because regular system updates.

Does the owner change affect ability of OS to update the program?

Does the new owner have to be a domain admin? I do not have an access to domain admin account.