任务计划程序的服务帐户权限阅读

tag-icon tag-icon powershell permissions scheduled-task task-scheduler powershell-v5.0
任务计划程序的服务帐户权限阅读

我编写了一个 PowerShell 脚本,用于比较我们应用服务器集群的两个节点之间的计划任务。它使用此代码查询给定服务器的任务...

function getTasks($server) {
    return Get-ScheduledTask -CimSession $server | 
        Where-Object TaskPath -like '*OurFolder*' | 
        ForEach-Object {
            [pscustomobject]@{ 
                Server = $server
                Path = $_.TaskPath
                Name = $_.TaskName
                Disabled = ($_.State -eq 'Disabled')
                Command = $_.Actions.Execute
                Arguments = $_.Actions.Arguments
                Interval = $_.Triggers.RepetitionInterval
                HashId = "$($_.Actions.Execute)|$($_.Actions.Arguments)"
                HashFull = "$($_.TaskPath)|$($_.TaskName)|$($_.Actions.Execute)|$($_.Actions.Arguments)|$(($_.State -eq 'Disabled'))"
            }
        }
}

在我的域管理员帐户下运行时它运行完美。

但是,当我尝试在我们的服务帐户下将其作为计划任务运行时,在尝试查询另一个节点上的计划任务时会出现此错误...

Get-ScheduledTask : SERVER.domain.local: Cannot connect to CIM server. Access is denied.
At F:\Applications\TaskSchedulerNodeCompare\compare-nodes.ps1:9 char:12
+     return Get-ScheduledTask -CimSession $server |
+            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
    + FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-ScheduledTask

通过谷歌搜索并查看外观允许帐户访问此列表的唯一方法是将其添加到相关服务器上的 LocalAdmins?但将我们的服务帐户设为本地管理员确实感觉不对,而且我们显然不想在我的域管理员帐户下运行该任务。

我试过了解决方案 3 点击此处, 哪个声音就像它会是它一样……

1.  As an Administrator of the server, go to Server Manager -> Tools -> Computer Management.  On the left expand "Services and Applications" and right click "WMI Control".  Go to "Properties".
2.  In the newly open Window, click on Security tab.
3.  Expand Root tree, and then click on the node CIMV2, and click the button security
4.  In the newly open Window, click the button Advanced.
5.  In the newly open Window, click the button Add under the permission tab.
6.  In the newly open Window, click on “select a principal", then search for the user you that was having the problem.  
7.  In the applies to, choose “this namespace and subnamespace".
8.  For the permission, check on “Execute Methods", “Enable Accounts" and “Remote Enable"
9.  Click accept on all the open dialogue boxes
10. Restart WMI services.  As an Admininstrator of the server, go to Server Manager -> Tools -> Computer Management.  On the left expand "Services and Applications" and click on "Services".  Go to "Windows Management Instrumentation" and right click it.  Then choose "Restart".
11. Try the command again. The above directions were adapted from this StackOverflow posting.

但即使完成所有这些步骤,它仍然不起作用。

我如何允许我们的服务帐户从我们的服务器查询(只读)计划的任务,同时尽可能地保证安全?

答案1

据我所知,只有创建者或本地管理员组的成员才能看到计划任务。我还怀疑是否有任何可行的解决方案可以涵盖在更改本地对象或类似对象的权限后创建的任务。

另外,看到这个看起来非常相似的问题/答案: 计划任务的权限或 ACL

相关内容