Task Scheduler Best practices
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Set appropriate permissions on the file your scheduled task will run.
To avoid a malicious user from corrupting a program set to run by a scheduled task, restrict access for the program file to only the specific users who need access.
For more information about setting permissions on a file, see Set, view, change, or remove permissions on files and folders.
Make sure you have correct password information for your users.
Before creating a scheduled task, check that the account and password information you have for the user that you will enter in the Add Scheduled Task wizard or Run as box in the scheduled task's property dialog box is accurate. If an account password expires any scheduled task for which that user has been specified will not run. For more information, see Task Scheduler and security.
Encourage your users to use strong passwords.
Scheduled tasks always run under the context of a specific account, and the set of permissions for which the group it belongs to provides. To prevent a malicious user from modifying a scheduled task using another user's account name and password, encourage the use of strong passwords. For more information about strong passwords, see Strong passwords.
Choose carefully when deciding which tasks to schedule under the System account.
Tasks scheduled under the System (or AT Service account) will run regardless of which user is logged on to a computer. Often these tasks will run in the background, unnoticed by the user.
For more information about the implications of running a task under the System account, see Act as part of the operating system.
Before stopping a scheduled task that is running, check for other scheduled tasks that are dependent on the task.
If you stop a scheduled task that is running without checking for dependent tasks, other tasks might not run or run incorrectly.
Only create scheduled tasks on domain controllers if absolutely necessary.
If you are a member of the Administrators group, and the local computer on which you create a scheduled task is a domain controller, the scheduled task could affect objects in the entire domain.
Avoid entering a member of the Domain group in the Add Scheduled Task wizard or Run as box when creating a scheduled task.
It is possible that a malicious user who is a member of the Administrators group could obtain those credentials and access the entire domain.