Task Security Context

Applies To: Windows 7, Windows Server 2008 R2, Windows Server 2012, Windows Vista

A scheduled task, by default, runs within the security context of the user who scheduled the task and only runs if that user is logged on when the task is triggered. To modify this, change the settings in the Security options section of the General tab when a task's properties are displayed.

You can select a different user or group account for a task to run under by clicking the Change User or Group button. The button will be titled Change User if your user account is not a member of the Administrators group. User accounts that are not in the Administrators group can only specify a user account for a task to run under.

Note

If a task is registered using the Administrators group for the security context of the task, then you must also make sure the Run with highest privileges check box is checked if you want to run the task.

You can specify that a task should run even if the account under which the task is scheduled to run is not logged on when the task is triggered. To do this, select the radio button labeled Run whether user is logged on or not . If this radio button is selected, tasks will not run interactively. To make a task run interactively, select the Run only when user is logged on radio button.

When the Run whether user is logged on or not option if selected, you may be prompted to supply the credentials of the account when saving the task, regardless of whether you select the checkbox labeled Do not store password or not. If the account is not logged on when the corresponding task is triggered, the service will use the saved credentials to run as the specified account and will have unconstrained use of the resulting token.

If you select the checkbox labeled Do not store password , Task Scheduler will not store the credentials supplied on the local computer, but will discard them after properly authenticating the user. When required to run the task, the Task Scheduler service will use the “Service-for-User” (S4U) extensions to the Kerberos authentication protocol to retrieve the user’s token.

When using S4U the ability of the service to use the security context of the account is constrained. In particular, the service can only use the security context to access local resources.

Note

If your task requires access to network resources, you cannot use S4U; doing so will cause your task to fail. The only exception is the case where constrained delegation was established between the computers involved in the operation.
S4U functionality is only available within an environment where all the domain controllers (DCs) in the domain are running the Windows Server 2003 or later operating system.
If you are using the S4U functionality, the task will not have access to encrypted files.

If you are using the S4U functionality, make sure the Logon as batch job policy is set for the user. This policy is accessible by opening the Control Panel , Administrative Tools , and then Local Security Policy . In the Local Security Policy window, click Local Policy , User Rights Assignment , and then Logon as batch job .

For more information about the S4U Kerberos extensions, see RFC 1510.

If you select the checkbox labeled Run with highest privileges , Task Scheduler will run the task using an elevated privileges token rather than a least privileges (UAC) token. Only tasks that require elevated privileges to complete their actions should run with elevated privileges. For more information, see User Account Control.