Creating Scheduled Task with Powershell - Using specific user account



  • Ok so here is the breakdown. I've got a script that works to install chocolatey, and with it a bunch of software that is generally useful.

    I also want to create a scheduled task at the same time that will run once a month and run choco upgrade all -y and reboot the computer.

    I'm having issues with the setting the permissions to use the local admin account we have on our systems. Any help would be appreciated.

    Code:

    Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
    choco install flashplayerplugin flashplayeractivex firefox googlechrome vlc sharex filezilla openshot 7zip.install wiztree -y
    #Create a new trigger that is configured to trigger at startup
    $STTrigger = New-ScheduledTaskTrigger -Weekly -WeeksInterval 4 -DaysOfWeek Saturday -At 8PM
    #Name for the scheduled task
    $STName = "choco-upgrade"
    #Action to run as
    $STAction = New-ScheduledTaskAction -Execute 'Powershell.exe' -Argument '-ExecutionPolicy Bypass c:\Scripts\choco-upgrade.ps1'
    #Configure when to stop the task and how long it can run for. In this example it does not stop on idle and uses the maximum possible duration by setting a timelimit of 0
    $STSettings = New-ScheduledTaskSettingsSet -DontStopOnIdleEnd -ExecutionTimeLimit ([TimeSpan]::Zero)
    #Configure the principal to use for the scheduled task and the level to run as
    $STPrincipal = Register-ScheduledTask -TaskName "choco-upgrade" -user "user" -Password "password" -Action "Powershell.exe" -Argument "-ExecutionPolicy Bypass c:\Scripts\choco-upgrade.ps1" -RunLevel Highest 
    #Register the new scheduled task
    Register-ScheduledTask $STName -Action $STAction -Trigger $STTrigger -Principal $STPrincipal -Settings $STSettings
    New-Item -ItemType directory -Path C:\Scripts
    cd "c:\"
    copy-item "\\serverpath\folder\folder\Scripts\choco-upgrade.ps1" -Destination "C:\Scripts\choco-upgrade.ps1"


  • doh. . . it would help if I didn't fatfinger the spelling of "Argument". . .

    Working version

    Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
    choco install flashplayerplugin flashplayeractivex firefox googlechrome vlc sharex filezilla openshot 7zip.install wiztree -y
    #Create a new trigger that is configured to trigger at startup
    $STTrigger = New-ScheduledTaskTrigger -Weekly -WeeksInterval 4 -DaysOfWeek Saturday -At 8PM
    #Name for the scheduled task
    $STName = "choco-upgrade"
    #Action to run as
    $STAction = New-ScheduledTaskAction -Execute 'Powershell.exe' -Argument '-ExecutionPolicy Bypass c:\Scripts\choco-upgrade.ps1'
    #Configure when to stop the task and how long it can run for. In this example it does not stop on idle and uses the maximum possible duration by setting a timelimit of 0
    $STSettings = New-ScheduledTaskSettingsSet -DontStopOnIdleEnd -ExecutionTimeLimit ([TimeSpan]::Zero)
    #Configure the principal to use for the scheduled task and the level to run as
    $STPrincipal = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel "Highest"
    #Register the new scheduled task
    Register-ScheduledTask $STName -Action $STAction -Trigger $STTrigger -Principal $STPrincipal -Settings $STSettings
    New-Item -ItemType directory -Path C:\Scripts
    cd "c:\"
    copy-item "\\serverpath\folder\folder\Scripts\choco-upgrade.ps1" -Destination "C:\Scripts\choco-upgrade.ps1"


  • The critical goal is to avoid having to manually create the scheduled tasks, otherwise the rest works as is intended.



  • Are you getting any kind of error message or what?



  • @dafyre yea at least with this recent change. I have a slightly different version that runs from the administrators group, but it requires a user to be logged in.

    This I believe will cause issues, hence I'm trying to sort out the approach above, which ideally, will "runas" and then do it's thing. . .

    Simply put: yes it's telling me im stupid

    🙂



  • A couple of quick examples I checked show the job running as SYSTEM in stead of a local admin account.

    Also...

    #Configure the principal to use for the scheduled task and the level to run as
    $STPrincipal = Register-ScheduledTask -TaskName "choco-upgrade" -user "user" -Password "password" -Action "Powershell.exe" -Argument "-ExecutionPolicy Bypass c:\Scripts\choco-upgrade.ps1" -RunLevel Highest 
    

    Should the $STPrincipal actually be something generated by new-scheduledtaskprincipal ?

    (I'm looking at a simple example from https://snippets.cacher.io/snippet/dbb81e60b3fedfa47914)



  • @dafyre said in Creating Scheduled Task with Powershell - Using specific user account:

    A couple of quick examples I checked show the job running as SYSTEM in stead of a local admin account.

    Also...

    #Configure the principal to use for the scheduled task and the level to run as
    $STPrincipal = Register-ScheduledTask -TaskName "choco-upgrade" -user "user" -Password "password" -Action "Powershell.exe" -Argument "-ExecutionPolicy Bypass c:\Scripts\choco-upgrade.ps1" -RunLevel Highest 
    

    Should the $STPrincipal actually be something generated by new-scheduledtaskprincipal ?

    (I'm looking at a simple example from https://snippets.cacher.io/snippet/dbb81e60b3fedfa47914)

    Likely, this was my first attempt at using powershell to create a scheduled task and I found a script (above) which I've bastardized to try and do what I want.

    I could likely just use my working script and see how it goes. . but I hate having to rely on someone being logged in. . .



  • Can you post a santized version of the script you want to use?

    Also, I thought requiring a person to be logged on was dependent on options you chose when creating the scheduled task?



  • Working version

    Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
    choco install flashplayerplugin flashplayeractivex firefox googlechrome vlc sharex filezilla openshot 7zip.install wiztree -y
    #Create a new trigger that is configured to trigger at startup
    $STTrigger = New-ScheduledTaskTrigger -Weekly -WeeksInterval 4 -DaysOfWeek Saturday -At 8PM
    #Name for the scheduled task
    $STName = "choco-upgrade"
    #Action to run as
    $STAction = New-ScheduledTaskAction -Execute "powershell.exe -ExecutionPolicy Bypass c:\Scripts\choco-upgrade.ps1"
    #Configure when to stop the task and how long it can run for. In this example it does not stop on idle and uses the maximum possible duration by setting a timelimit of 0
    $STSettings = New-ScheduledTaskSettingsSet -DontStopOnIdleEnd -ExecutionTimeLimit ([TimeSpan]::Zero)
    #Configure the principal to use for the scheduled task and the level to run as
    $STPrincipal = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel "Highest"
    #Register the new scheduled task
    Register-ScheduledTask $STName -Action $STAction -Trigger $STTrigger -Principal $STPrincipal -Settings $STSettings
    New-Item -ItemType directory -Path C:\Scripts
    cd "c:\"
    copy-item "\\serverpath\folder\folder\Scripts\choco-upgrade.ps1" -Destination "C:\Scripts\choco-upgrade.ps1"


  • @dafyre said in Creating Scheduled Task with Powershell - Using specific user account:

    Also, I thought requiring a person to be logged on was dependent on options you chose when creating the scheduled task?

    It is, and thus the point of me attempting to figure out how to specify a user rather than a group via powershell.

    Doing it via the gui is simple, it's trying to do it via powershell that has me hung up.



  • Hrmm. . .

    I wonder if New-ScheduledTaskPrincipal -UserID 'localhost\user' would work. . . but what would I use to pass in the password. . .



  • @dustinb3403 said in Creating Scheduled Task with Powershell - Using specific user account:

    Hrmm. . .

    I wonder if New-ScheduledTaskPrincipal -UserID 'localhost\user' would work. . . but what would I use to pass in the password. . .

    Why are you running it as a specific user instead of SYSTEM ?



  • @dafyre said in Creating Scheduled Task with Powershell - Using specific user account:

    @dustinb3403 said in Creating Scheduled Task with Powershell - Using specific user account:

    Hrmm. . .

    I wonder if New-ScheduledTaskPrincipal -UserID 'localhost\user' would work. . . but what would I use to pass in the password. . .

    Why are you running it as a specific user instead of SYSTEM ?

    For some unknown to me reason running as a system task was failing. . .



  • Oh I know why now. . .

    Rather than actually running the powershell script (task scheduler) it is launching notepad to attempt to open the ps1 file.

    This obviously is a failure.

    What needs to execute is "powershell.exe" with arguments -ExecutionPolicy Bypass c:\Scripts\choco-upgrade.ps1



  • Which maybe (can't recall if I tried this. . .) just doing

    -execute 'powershell.exe' -arguments '. .. . ' will work. .



  • Nope that fails. . . -Arguments isn't a known parameter



  • This here says I should be using New-ScheduleTaskAction with -execute and -argument

    but it fails.. . .



  • doh. . . it would help if I didn't fatfinger the spelling of "Argument". . .

    Working version

    Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
    choco install flashplayerplugin flashplayeractivex firefox googlechrome vlc sharex filezilla openshot 7zip.install wiztree -y
    #Create a new trigger that is configured to trigger at startup
    $STTrigger = New-ScheduledTaskTrigger -Weekly -WeeksInterval 4 -DaysOfWeek Saturday -At 8PM
    #Name for the scheduled task
    $STName = "choco-upgrade"
    #Action to run as
    $STAction = New-ScheduledTaskAction -Execute 'Powershell.exe' -Argument '-ExecutionPolicy Bypass c:\Scripts\choco-upgrade.ps1'
    #Configure when to stop the task and how long it can run for. In this example it does not stop on idle and uses the maximum possible duration by setting a timelimit of 0
    $STSettings = New-ScheduledTaskSettingsSet -DontStopOnIdleEnd -ExecutionTimeLimit ([TimeSpan]::Zero)
    #Configure the principal to use for the scheduled task and the level to run as
    $STPrincipal = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel "Highest"
    #Register the new scheduled task
    Register-ScheduledTask $STName -Action $STAction -Trigger $STTrigger -Principal $STPrincipal -Settings $STSettings
    New-Item -ItemType directory -Path C:\Scripts
    cd "c:\"
    copy-item "\\serverpath\folder\folder\Scripts\choco-upgrade.ps1" -Destination "C:\Scripts\choco-upgrade.ps1"


  • So using the SYSTEM account appears to work, at least when I manually run the task. So meh w/e. It still requires a user to be logged in, which I might see if I can change that flag as I don't want to rely on my users remaining logged in.

    But they likely never sign out either.



  • I know this post is old, but I've found doing scheduled tasks with SaltStack is insanely simple and very effective lately... so much more than using MS Group Policy.

    https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.win_task.html



  • @obsolesce said in Creating Scheduled Task with Powershell - Using specific user account:

    I know this post is old, but I've found doing scheduled tasks with SaltStack is insanely simple and very effective lately... so much more than using MS Group Policy.

    https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.win_task.html

    I really want to get back into learning saltstack again.



  • @wrx7m said in Creating Scheduled Task with Powershell - Using specific user account:

    @obsolesce said in Creating Scheduled Task with Powershell - Using specific user account:

    I know this post is old, but I've found doing scheduled tasks with SaltStack is insanely simple and very effective lately... so much more than using MS Group Policy.

    https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.win_task.html

    I really want to get back into learning saltstack again.

    You can, in theory, use it to report and manage Windows Defender.



  • @wrx7m said in Creating Scheduled Task with Powershell - Using specific user account:

    @obsolesce said in Creating Scheduled Task with Powershell - Using specific user account:

    I know this post is old, but I've found doing scheduled tasks with SaltStack is insanely simple and very effective lately... so much more than using MS Group Policy.

    https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.win_task.html

    I really want to get back into learning saltstack again.

    Here's an example of a task that goes to all minions it's supposed to go to... and it "just works". No AD required.
    Also, using SaltStack to sync that .ps1 it runs from GitLab:

    0_1525903964206_a7c132dd-863e-484e-a947-e291f463a810-image.png