任務計劃程序的服務帳戶權限 READ

tag-icon tag-icon powershell permissions scheduled-task task-scheduler powershell-v5.0
任務計劃程序的服務帳戶權限 READ

我編寫了一個 PowerShell 腳本來比較應用程式伺服器叢集的兩個節點之間的排程任務。它使用此程式碼從給定伺服器查詢任務...

function getTasks($server) {
    return Get-ScheduledTask -CimSession $server | 
        Where-Object TaskPath -like '*OurFolder*' | 
        ForEach-Object {
            [pscustomobject]@{ 
                Server = $server
                Path = $_.TaskPath
                Name = $_.TaskName
                Disabled = ($_.State -eq 'Disabled')
                Command = $_.Actions.Execute
                Arguments = $_.Actions.Arguments
                Interval = $_.Triggers.RepetitionInterval
                HashId = "$($_.Actions.Execute)|$($_.Actions.Arguments)"
                HashFull = "$($_.TaskPath)|$($_.TaskName)|$($_.Actions.Execute)|$($_.Actions.Arguments)|$(($_.State -eq 'Disabled'))"
            }
        }
}

在我的網域管理員帳戶下運行時它工作得非常完美。

但是,當我嘗試在我們的服務帳戶下將其作為計劃任務運行時,在嘗試查詢其他節點上的計劃任務時會出現此錯誤...

Get-ScheduledTask : SERVER.domain.local: Cannot connect to CIM server. Access is denied.
At F:\Applications\TaskSchedulerNodeCompare\compare-nodes.ps1:9 char:12
+     return Get-ScheduledTask -CimSession $server |
+            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
    + FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-ScheduledTask

谷歌搜尋並環顧四周外觀就像允許帳戶存取此清單的唯一方法是將它們新增至相關伺服器上的 LocalAdmins 中嗎?但必須將我們的服務帳戶設定為本機管理員確實感覺不對,而且顯然我們不希望在我的網域管理員帳戶下執行該任務。

我試過了解決方案編號3 這裡, 哪個聲音就像它會那樣...

1.  As an Administrator of the server, go to Server Manager -> Tools -> Computer Management.  On the left expand "Services and Applications" and right click "WMI Control".  Go to "Properties".
2.  In the newly open Window, click on Security tab.
3.  Expand Root tree, and then click on the node CIMV2, and click the button security
4.  In the newly open Window, click the button Advanced.
5.  In the newly open Window, click the button Add under the permission tab.
6.  In the newly open Window, click on “select a principal", then search for the user you that was having the problem.  
7.  In the applies to, choose “this namespace and subnamespace".
8.  For the permission, check on “Execute Methods", “Enable Accounts" and “Remote Enable"
9.  Click accept on all the open dialogue boxes
10. Restart WMI services.  As an Admininstrator of the server, go to Server Manager -> Tools -> Computer Management.  On the left expand "Services and Applications" and click on "Services".  Go to "Windows Management Instrumentation" and right click it.  Then choose "Restart".
11. Try the command again. The above directions were adapted from this StackOverflow posting.

但即使完成了所有這些步驟,它仍然不起作用。

如何允許我們的服務帳戶從我們的伺服器查詢(唯讀)規劃任務,同時盡可能保持安全意識?

答案1

據我所知,計劃任務只能由建立者或本機管理群組的成員看到。我還懷疑任何可行的解決方案都會涵蓋更改本地物件或類似內容的權限後創建的任務。

另外,請參閱這個問題/答案,它看起來非常相似: 計劃任務的權限或 ACL

相關內容