A Quick Tip Restrict Users From Modifying The Schedule Tasks
Group Policy does not provide any policy settings to hide Schedule Tasks created by an administrator or applications. You need to use a small script to accomplish this. This article explains how you can do this using a small script.
As an example, you are domain administrator. You need to create a schedule task to perform a couple of tasks on all the client computers and need to make sure users and local administrators are not able to delete this task. To accomplish this, you need to hide the task and remove the permissions for local administrators group. This article assumes you have the commands written in TaskFile.CMD and is already copied to the C:\Windows\System32 directory on all the client computers.
1. Create a CMD file by name: Tasks.CMD and then put the following lines in it:
- REM *** START ***
- @ Echo off
- C:\Windows\System32\Schtasks.exe /Create /s \\%COMPUTERNAME% /tn "Task_Name" /tr C:\Windows\System32\TaskFile.CMD /sc onidle /i 60 /ru "NT Authority\System"
- Echo Y|C:\Windows\System32\Cacls.exe C:\Windows\Tasks\Task_Name.JOB /G SYSTEM:F
- REM *** END ***
2. Edit or create a Group Policy Object and put the Tasks.CMD in Startup Script.
The above script will create a task by name Task_Name. The task runs the TaskFile.CMD file which you copy to client computers and runs when computer is idle for 1 hour. You can change this as per your requirement.
The next line in script assigns SYSTEM account Full Control permissions removing any other account from the property of the task. This way local users, domain users and even local administrators cannot see the task when they go to Schedule Tasks folder.