Using group policy I created a windows task that any user can run manually but that runs under a specific domain user (e.g. DOMAIN\task_user) that has been assigned very limited access privileges. This policy/task worked fine with Windows 7 PCs; however, it does not seem to work with Windows 10 PCs (if I try to run the task even as an administrator I see an access denied error).
I think that the reason for this is because Windows 10 does not seem to allow Windows tasks created via domain policy that run under a domain user where the password is saved. For example, within task scheduler if I export the problem task that was created on the local PC with group policy and then import it as new task (this involves manually re-entering the password for DOMAIN\task_user) and run it manually it works just fine.
As a solution to this problem I see that some people suggest that the task be run as the SYSTEM user instead. The reason being, there is no need to save a password for the SYSTEM user at the group policy level so the Windows task should run normally. However, this seems like a bad idea from a security perspective, since the SYSTEM user has access permissions comparable to a local administrator.
So my question is, how can I get around the password saving problem in group policy and create a task that anybody can run but that runs with very limited permissions?
0 Answers