On a Windows server which is in a domain, I have a script I run from scheduled tasks.
I want this script to be run under a mydomain\peter
user account. It is simple to do it with scheduled tasks, if you know Peter's password. And once done, the script stops when Peter decides to (or has to) change his password.
On Linux, a cron
job can be run with whatever user account without having to know the corresponding password. And root
can run anything on behalf on another user (with su
and sudo
).
Any way to do this with Windows?
My need is for a old Windows 2003 server, but I can manage to run it from another computer.
This is not supported on Windows. For accountability reasons you're not supposed to impersonate other users, not even as an administrator.
This is exactly the use-case for service-accounts, though. Why not set up a domain user service account for this scheduled task?
It's probably what you should be doing anyway, rather than running scheduled tasks or scripts as a real user. You can disable password expiry on the account so that the job doesn't fail whenever Pete has to change his password, for another benefit.
OK, since you only want to reduce your access rights (rather than actually running as Peter per se) you may have some options.
In Windows 7 (and Windows Server 2008 R2) the task scheduler supports this directly (via the "Do not store password" option) but I don't think there is any built-in equivalent for Windows Server 2003. Running the task this way on a different machine probably won't help because you don't get network access.
It can be done in software, though, even on Windows 2003, via the CreateRestrictedToken Win32 function. A Google search found a piece of software called ulimitnt which appears be able to do what you want (via the
-RSid
option). Note that I've never used this program so I can't vouch for its reliability.Using this approach, the script only has access to files that grant access to both local system and to Peter. (Note that the local system account implicitly belongs to the Administrators group, so if Administrators has access that will be sufficient.)