I get the following error in the Scheduled Task history when I try to run a task:
Task Scheduler successfully completed task "\Restart Tomcat" ,
instance "{264b4620-5f3b-6c5f-a6cb-1625a7fa57de}" ,
action "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE"
with return code 1.
The scheduled task is configured as follows:
- Name: Restart Tomcat
- User: DOMAIN\tomcat.restarter
- Triggers: Daily 2AM Enabled
- Actions: Start a Program:
- Program/script:
powershell - Arguments:
-Command "Restart-Service Tomcat6"
- Program/script:
When I launch a Command Prompt as DOMAIN\tomcat.restarter with:
runas /user:DOMAIN\tomcat.restart cmd
And run:
powershell -Command "Restart-Service Tomcat6"
Then echo %errorlevel% prints 0 and Tomcat gets restarted. This shows that the SDDL on the Tomcat6 service is sufficient for the purpose and that DOMAIN\tomcat.restarter can restart it.
If I change the scheduled task arguments to -Command "'hello world'" > '%TEMP%\Temp.log' I get return code 0 in the Task History and hello world shows up in C:\Users\tomcat.restarter\AppData\Local\Temp\Temp.log. This shows that the Log on as a batch job User Right is effective for DOMAIN\tomcat.restarter, that it can run Powershell and that it can write files.
UPDATE: Further investigation
I created a restart.bat in D:\tomcat\bin and set the Program/script to restart.bat, arguments to > "%TEMP%\Temp.log" 2>&1 and Start in to D:\tomcat\bin.
Listing of restart.bat:
powershell -Command "Restart-Service Tomcat6"
I get the following in C:\Users\tomcat.restarter\AppData\Local\Temp\Temp.log I get the following content:
D:\tomcat\bin>powershell -Command "Restart-Service Tomcat6"
Restart-Service : Cannot open Tomcat6 service on computer '.'.
At line:1 char:16
+ Restart-Service <<<< Tomcat6
+ CategoryInfo : NotSpecified: (:) [Restart-Service], InvalidOper
ationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.Power
Shell.Commands.RestartServiceCommand
Why does powershell -Command "Restart-Service Tomcat6" fail when run from a Scheduled Task?
tl;dr
My SDDL was incomplete. I needed to add SW (EnumDeps) to the already added LCRPWP permissions in the SDDL.
Long Version
Here is the (sanitized) version of my (broken) SDDL:
The problem is in the last clause permissions:
The SID S-1-1-11-1111111111-1111111111-1111111111-1111 is correct for the group DOMAIN\Tomcat Restarters that DOMAIN\tomcat.restarter is a member of. That much is right. The permissions granted (LCRPWP) are insufficient for Restart-Service.
For the Restart-Service Cmdlet to work it needs the right to Enumerate Dependent Services. In SDDL this is SW (EnumDeps) in the SDDL string. I had LCRPWP which allows QueryStat, Start and Stop.
The correct SDDL for Tomcat 6 for me is:
The mystery is why Powershell could run Restart-Service from a runas Command Prompt, but not from the Task Scheduler.
I got the necessary revelation from reading @splattered bits answer to his own similar issue with Restart-Service at https://serverfault.com/a/357753/57073.
Does the command require elevation? Even if you have UAC turned all the way down, the scheduled task would need the check box for having elevated privileges.
I was going to add this as a comment but the code handling is horrid:
Can you add a few lines to capture some more info please?
$error should output all the error information that has been generated in this session.
$1 will just show what it finds when it searches for the Tomcat service. just in case it can't see it for what ever reason.