Windows Server 2003 Glitch
By default, Windows Server 2003 doesn’t let you read or execute the cmd.exe file.
September 27, 2004
I recently needed to design a backup strategy for a project on a Windows Server 2003, Standard Edition standalone server running Certificate Services. At first I used a batch file (i.e., .cmd file) that ran every hour to back up an essential database. For security reasons, I created an account with only backup operator privileges and used this account to start the batch job. After I finished testing the batch file, I added a new scheduled task to Windows Task Scheduler.
I was able to run the scheduled task as Administrator from the built-in system account (i.e., NT AuthoritySystem). In addition, Task Scheduler could start the batch job while I was logged on interactively as the backup operator. But if I logged off or logged on as a different user, the job failed. Task Scheduler generated the error message could not start, and the log file reported the access violation that Figure 1 shows.
I checked the server's user rights assignment and granted the backup operator the log on as a batch job right, with no success. I also created an audit policy and enabled success and failure auditing for most events. However, the Security event log showed no error messages.
Finally, I tried using a Visual Basic (VB) script. Task Scheduler ran any VB script I executed as the backup operator but wouldn't run a batch file from within the script.
As a last resort, I installed Sysinternals' FileMon tool. FileMon reported an access violation on the cmd.exe file in the WINDOWSsystem32 directory. By default, Windows 2003's built-in Batch account can run scripts such as VB scripts but can't run batch files. To solve this problem, you need to reset the cmd.exe file's permissions. I added the built-in Batch security setting with the right to read and execute the cmd.exe program, and my scheduled task ran as expected.
About the Author
You May Also Like