#12785 - 2002-11-09 05:44 AM
Re: HOW-TO: Running scripts with ADMIN powers
|
Anupam Agarwal
Fresh Scripter
Registered: 2002-09-25
Posts: 17
Loc: Austin, TX
|
Hi Jens, Sorry for reopening this thread all over again. I read your article in detail and followed it but ran into a problem. I am sure you have a fix for it. So, here goes...
I took your code and put it in a batch file for testing. Here is what batch file looked like:
code:
JT.EXE /CTJ StartDate=TODAY StartTime=NOW HasEndDate=0 KillAtDuration=0 Disabled=0 Type=ONCE /SC domain\domadmin password /SJ ApplicationName="test.exe" Parameters="" WorkingDirectory="C:\WINNT" Comment="Test Script" Creator="Administrator" Priority=Normal MaxRunTime=21600000 DontStartIfOnBatteries=0 KillIfGoingOnBatteries=0 RunOnlyIfLoggedOn=0 SystemRequired=0 DeleteWhenDone=1 Suspend=0 StartOnlyIfIdle=0 KillOnIdleEnd=0 RestartOnIdleResume=0 Hidden=0 TaskFlags=0 /SAJ Test.job /SAC Test.job /RJ
The credentials it is using in the JT.EXE command line are of a Domain Admin account and I am scheduling the job on the local computer with a non-privileged account (that is how I am logged on). It works great the first time and the job executes and gets deleted when finished. The problem is that when execute the same batch file a second time, I get the following error:
code:
[TRACE] Created trigger 0 [TRACE] Setting account information [TRACE] Setting job's properties [TRACE] Adding job 'Test.job' [FAIL ] ITaskScheduler::AddWorkItemn hr=0x80070005
Looking at the c:\winnt\SchedLgU.txt reveals the following problen:
code:
"Test.job" (test.exe) 11/8/2002 10:27:00 PM ** ERROR ** The attempt to retrieve account information for the specified task failed; therefore, the task did not run. Either an error occurred, or no account information existed for the task. The specific error is: 0x8004130f: No account information could be found in the Task Scheduler security database for the task indicated.
Doing some research, found the following KB article at Microsoft: Scheduled Task Does Not Run...
It sounds like even though the job is getting deleted, the security descriptor is still being kept in the database against that job name and deleting ity is breaking it and can never be used again.
So here I am seeking the advice of the masters of this trade. Please help!
Thanks!
Anupam Agarwal [ 09. November 2002, 05:56: Message edited by: Anupam Agarwal ]
|
Top
|
|
|
|
#12787 - 2002-11-09 05:56 AM
Re: HOW-TO: Running scripts with ADMIN powers
|
Howard Bullock
KiX Supporter
Registered: 2000-09-15
Posts: 5809
Loc: Harrisburg, PA USA
|
Long Line Police in action
|
Top
|
|
|
|
#12788 - 2002-11-09 05:56 AM
Re: HOW-TO: Running scripts with ADMIN powers
|
Anupam Agarwal
Fresh Scripter
Registered: 2002-09-25
Posts: 17
Loc: Austin, TX
|
Thanks Les. I just fixed it.
|
Top
|
|
|
|
#12789 - 2002-11-09 03:51 PM
Re: HOW-TO: Running scripts with ADMIN powers
|
djek
Lurker
Registered: 2002-11-09
Posts: 3
|
quote: The problem is that when execute the same batch file a second time, I get the following error:
code: [TRACE] Created trigger 0 [TRACE] Setting account information [TRACE] Setting job's properties [TRACE] Adding job 'Test.job' [FAIL ] ITaskScheduler::AddWorkItemn hr=0x80070005
That's right, as a safety measure it wil not continue. Comment the return if you don't want this feature.
; delete a potentially existing task $shellcmd=$jtexe+' /SM \\'+$computer+' /SD +$taskname shell '%COMSPEC% /e:1024 /c '+$shellcmd if @ERROR $scheduletask=@ERROR ; return endif
|
Top
|
|
|
|
#12790 - 2002-11-09 04:38 PM
Re: HOW-TO: Running scripts with ADMIN powers
|
Anupam Agarwal
Fresh Scripter
Registered: 2002-09-25
Posts: 17
Loc: Austin, TX
|
In my original post, I have the flag code:
DeleteWhenDone=1
So the job gets deleted as soon as it is finished running. If I run the above recommended script to delete the job, I get an error because the job does not exist. I tried setting the flag
code:
DeleteWhenDone=0
and then run the above script to delete the job in which case, the job gets deleted without errors. In either case, my original script still fails with same error.
There are couple other interesting things to note:
1. Once I run my batch file with the specified credentials and successfully schedule the job, run it, and delete it, I cannot schedule any job with those credentials again (that is, even if I change the job name). I get the same error.
2. I was able to run my batch file and schedule the job this morning with the same credentials which was failing last night. And now I cannot run it again. But I am sure it will start working in several hours. Which tells me that the local security database eventially purges the credentials. I don't know what governs that time out or if I have any control over it.
3. Another piece of information is that when my batch file fails and I get the error, the job still gets set in the scheduler but with the logged on user's credentials instead of the credentials supplied on the command line. And the job never runs either. It just sits there and does nothing.
Sorry for these long emails but I think I need to explain as much troubleshooting informatiuon as I already have.
Thanks you again for helping me out with this.
Anupam
|
Top
|
|
|
|
#12792 - 2002-11-10 09:34 AM
Re: HOW-TO: Running scripts with ADMIN powers
|
Anupam Agarwal
Fresh Scripter
Registered: 2002-09-25
Posts: 17
Loc: Austin, TX
|
Jens,
Looks like the problem is with the scheduler service itself. Scheduling the job manually using the wizard generates the exact same error. However, if you are logged on with admin rights, everything works okay.
This tells me that the credentials are stored in tha local secutiry database. The database purges old information after some time by itself (don't know how long). Admin rights are needed to overwrite information in this database.
I am not sure where we go from here. The only thing I can think of is to figure out a way to change the database refresh interval if possible or delete the credentials from it when the job is deleted.
I guess I am expecting magic or miracle here.
Thanks, Anupam
|
Top
|
|
|
|
#12794 - 2002-11-10 05:31 PM
Re: HOW-TO: Running scripts with ADMIN powers
|
Anupam Agarwal
Fresh Scripter
Registered: 2002-09-25
Posts: 17
Loc: Austin, TX
|
I hve seen that article. It was a link in the article I posted in my original post. Where is the article about the daylight savings problem? In my earlier posts, when I mentioned local security database, I was actually referring to the protected storage database. I was expecting that when the job is deleted, the password should also get deleted from the protected storage database. As I said earlier, the password does enevtually get dropped from it but I don't know if we have any control over the timing of it from the registry etc.
Thanks, Anupam
|
Top
|
|
|
|
#12796 - 2002-11-10 06:20 PM
Re: HOW-TO: Running scripts with ADMIN powers
|
Anupam Agarwal
Fresh Scripter
Registered: 2002-09-25
Posts: 17
Loc: Austin, TX
|
I found the article about Daylight Savings Time issue with the Task Scheduler unless you were referring to a different one. According to this article, the problem only happens during the one hour of fall back and one hour of spring forward. So, I am thinking that this is probably not what is causing my issue.
|
Top
|
|
|
|
#12799 - 2002-11-11 07:17 PM
Re: HOW-TO: Running scripts with ADMIN powers
|
Anupam Agarwal
Fresh Scripter
Registered: 2002-09-25
Posts: 17
Loc: Austin, TX
|
Guys, I am really sorry about messing up the old thread and making you guys go through all this work. I do want to put another update here.
I ran a test batch file that scheduled and deleted the job at one minute interval with the same credentials and recorded the time and status in a log file. It turns out that there are exactly 12 hours between successes which means that once a job is scheduled and deleted, it cannot be rescheduled with the same credentials for the next 12 hours.
Thanks, Anupam
|
Top
|
|
|
|
#12802 - 2002-11-11 09:31 PM
Re: HOW-TO: Running scripts with ADMIN powers
|
Anupam Agarwal
Fresh Scripter
Registered: 2002-09-25
Posts: 17
Loc: Austin, TX
|
Both of those are good ideas but then I don't have as much control over when I want things to happen. For example, I wanted to add this in the logon script such that if there is a missing element on the workstation, it would fire off a job and make the required change which requires admin permissions. A set interval will only happen whenever the interval expires. I could live with it but not an elegant solution.
I wil continue my research on this and keep this (or the new thread if you decide to create one) posted for your information.
Thanks again for all the valuable help.
Anupam
|
Top
|
|
|
|
Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart
|
1 registered
(Allen)
and 466 anonymous users online.
|
|
|