Easy Way to Change Permissions on the Windows Server Scheduled Tasks Folder (C:\Windows\Tasks)

Posted @ Monday, April 21, 2008 10:06 AM by Timothy | Files in Tech

By default, ostensibly for security purposes, Microsoft makes it very difficult to modify folder permissions on C:\Windows\Tasks -- the "Scheduled Tasks" folder. You'll notice there is no security or sharing tab in the properties of this folder. The only way to modify it is to use CACLS.EXE, XCACLS.EXE, or XCACLS.VBS, or a similar program which manipulates the NTFS permission flags directly. This is not really the ideal way to do it. It's much easier to use Explorer's view, so you can be sure of the permissions you are assigning, without messing up other permissions.

I found a fairly reasonable work-around for this problem. It's a multi-step process, but it is worth the trouble. Although command line operations with CACLS is still required, you can use the Explorer interface to assign the new permissions before applying them to the Tasks folder.

Be VERY cautious when following these steps, or you may inadvertently open up serious security holes -- there IS a reason Microsoft locks this folder down tightly.

1. Open a command prompt.

2. Type 

XCOPY C:\WINDOWS\TASKS c:\TASKPERM /s /e /k /o
This will copy the tasks folder, in its entirety, including permissions and attributes. This essentially gives you a "mirrored" version of the scheduled tasks at C:\TASKPERM. It is probably not necessary to copy the tasks within the "Tasks" folder (the /S flag does this), but I like to be complete. :-)

3. Go to Windows Explorer and modify the ACL of C:\TASKPERM to suit your needs. Remember that if the user/group you are assigning permissions to should not be able to modify ALL tasks, it is important to set the "Apply To" attribute to "This folder only."

4. Back at the command prompt, type 

CACLS C:\TASKPERM /S
Select the SDDL string (the stuff between the quotes) into the clipboard. Since the command prompt does not support line-wrapping text copy, you may have to post a larger string into notepad, and then trim out the stuff on either side of the quotes. You only want the bare SDDL string in the clipboard.

5. Type 

CACLS C:\WINDOWS\TASKS /S:
...replacing/pasting the part with the SDDL string you put into the clipboard in step 4 -- do not include quotes.

6. Test!

7. Delete the C:\TASKPERM folder.

Not too bad, right? If you screw up your C:\WINDOWS\TASKS folder, the default ACL for Windows Server 2003 is D:P(A;OICIIO;FA;;;CO)(A;;0x1200ab;;;BO)(A;;0x1200ab;;;SO)(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)