Allowing Local Standard Account Log On As Batch Job Rights


  1. Rubi
    Posts : 396
    Windows 10 Pro
       New #1

    Allowing Local Standard Account Log On As Batch Job Rights


    Hi,

    At the risk of sounding naive, I hope someone can help with the following situation.

    I created a task in Task Scheduler for the standard user account to have Windows Defender check for and update signatures every 3 hours rather than the once per day default setting.

    However, when running the task the command prompt window remained open, which I did not want.

    I logged in as administrator and as the title says allowed the standard user log on as a batch job rights which then allowed me to set the task to not have the window open.

    So far so good, but the question is whether or not I have now lowered the security of both the standard and admin accounts by changing the setting in secpol.msc to allow the rights.

    Any input appreciated, even if the suggestion is to undo what I set up.

    Thanks!
      My Computer
    Quote Quote

  3. das10
    Posts : 3,274
    Win10
       New #2

    Just to clarify, did you originally run the Defender check using a batch command and schedule the task using "Run with highest privileges"? If so, and the scheduled task you created did run sucessfully and your only issue is that "when running the task the command prompt window remained open, which I did not want", then you could try to run the task by creating a .vbscript and using the .vbs which calls the .bat file. This should hide the command prompt window.


    Copy the following into Notepad and save it for example as "C:\test\Defendercheck.vbs"


    Set WshShell = CreateObject("WScript.Shell" )
    WshShell.Run chr(34) & "C:\full path to your Defender check file batch file.bat" & Chr(34), 0
    Set WshShell = Nothing

    (Of course, replace "C:\full path to your Defender check file batch file.bat" with exact path of your own original Batch file)


    In task Scheduler, call the Defendercheck.vbs using
    C:\Windows\System32\wscript.exe as the program and the "C:\test\Defendercheck.vbs" file as the argument using its full path.


    For information on using the vbscript, see "Community Chosen Answer" here for how to make the vbscript work (in case you don't know):

    QA: Completely invisible batch file. | ITNinja

    more info here:
    Hide Command Window of .BAT file that Executes Another .EXE File - Stack Overflow

    I haven't tried it myself, but worth trying instead of changing Group Policy settings which may have security implications according to:

    Log on as a batch job (Windows 10) | Microsoft Docs
    which says :"Use discretion when assigning this right to specific users for security reasons."

    Log on as a batch job (Windows 10) | Microsoft Docs




    If the .vbscript approach doesn't work, just reverse the changes until somebody more knowledgeable chips in.

    Good luck.
      My Computers
    Quote Quote

  4. Rubi
    Posts : 396
    Windows 10 Pro
    Thread Starter
       New #3

    Hi das10 and thanks for the response.

    This was my concern that there might be security implications.

    So, this was what I did step by step to get to this point:

    1. created a task using the information from this link:
    How to change the Windows Defender update frequency

    2. the task ran successfully but the command prompt window was open as mentioned

    At this point the only change I made was to switch in the task from "Run only when user is logged on" to "Run whether user is logged on or not". It was at this time that I was asked for a password, received an error message about rights and batch jobs.

    3. I then logged in to the admin account and changed the setting in GPE based on the information here:
    Log on as Batch Job Rights for Task Scheduler — danblee.com

    I did not set "Run with highest privileges" either in the initial task or after changing the GPE setting.

    The task runs as I wanted it to but as you pointed out there may be security implications.

    This is a personal/work computer and nobody else has access to it (if that makes a difference).

    Are you suggesting I undo the changes to GPE?

    Thanks!
    Last edited by Rubi; 05 Mar 2019 at 14:05. Reason: adding more information
      My Computer
    Quote Quote

  6. das10
    Posts : 3,274
    Win10
       New #4

    I would test it out like this.

    1 Undo the GPE.
    2 If the task ran without highest previleges set, you can try the .vbs approach. If that does not work, enable the "highest previleges"
    3 If that doesn't work, you can set up everything as before, as, as it is a personal computer, it may be safe to change the GPE to your requirement. ( Althogh having said that, the .vbs approach might still be the best as it means that you will never have to worry about any possible security issues related to that GP setting in future .)

    nb: Sorry, I just read Try3s meassage, and he has some valid points there too .
      My Computers
    Quote Quote

  7. Try3
    Posts : 16,949
    Windows 10 Home x64 Version 22H2 Build 19045.4170
       New #5

    Using SecPol was pointless because you could use the vbs intermediary suggested by das10.
    - Any raised permissions level given to an account means that a hacker could do more damage if that account was penetrated.
    - So you might as well undo the secpol changes and do the vbs way.

    If you are the only user then you can keep things simple by leaving the task to run only when you are logged on. I do the same because the other accounts on my computers are not used for day-to-day working but for admin jobs so I avoid any unnecessary tasks while I am using them.

    I agree with you that you do not need admin permission to update WD definitions so you do not need to set 'highest privileges' in TS or even look at group policies. I do it the vbs way and I do not use 'highest privileges' in TS.

    I actually go a bit further than you. Instead of hiding the WD update task, I set it to run minimised and with a specific icon.
    Make Windows 10 Task scheduler run a batch file minimised and with a specific icon - MSA Forum article
    If you have any questions then post them here not there.

    - - - - - - - - - - -

    By the way, you could protect yourself from the risk of user profile corruption inherent in only having one account on the computer by creating two password-protected local admin accounts.
    - Add Local Account or Microsoft Account - TenForumsTutorials
    - If you do ever suffer from user profile corruption you would be able to use one of them to sort things out.
    - Having these accounts ready for use would turn a potential catastrophe into a minor annoyance. You would be able to avoid having to use any of my long-winded guidance on that subject.
    - Always write down the account passwords somewhere secure yet readily accessible. Mine are inside a thing on my keyring [photo in the long-winded article above].

    Denis
      My Computer
    Quote Quote

  8. Rubi
    Posts : 396
    Windows 10 Pro
    Thread Starter
       New #6

    Thanks to both of you, das10 and Denis.

    I fully take on board the comments about security.

    Here are the changes I have made:

    1. removed the log on as a batch job rights for the standard account in GPE

    2. set task back to "Run only when user is logged on"

    3. added a "minimized" parameter in the task. Instead of the command prompt sitting there it now briefly flashes and disappears. Not ideal, but it will do for now.

    It is starting to get late here and I do not have the energy to read up on vbs etc. but I will try and take the time to look into that further.

    Thanks again for all the help.
      My Computer
    Quote Quote

  9. Rubi
    Posts : 396
    Windows 10 Pro
    Thread Starter
       New #7

    Try3 said:

    By the way, you could protect yourself from the risk of user profile corruption inherent in only having one account on the computer by creating two password-protected local admin accounts.
    - Add Local Account or Microsoft Account - TenForumsTutorials
    - If you do ever suffer from user profile corruption you would be able to use one of them to sort things out.
    - Having these accounts ready for use would turn a potential catastrophe into a minor annoyance. You would be able to avoid having to use any of my long-winded guidance on that subject.
    - Always write down the account passwords somewhere secure yet readily accessible. Mine are inside a thing on my keyring [photo in the long-winded article above].

    Denis
    I have two accounts on this machine, one under my regular name which is the admin account that came with the laptop and a second, standard account, which I use for work and everyday usage.

    Both accounts are password protected of course.

    Do you still recommend adding a second local admin account re. what you wrote above?
      My Computer
    Quote Quote

  10. Try3
    Posts : 16,949
    Windows 10 Home x64 Version 22H2 Build 19045.4170
       New #8

    Whilst studying vbs properly is laudable, I can confirm that I have used the same syntax as @das10 so you can just copy & adjust that suggested script without any worries.

    About additional accounts
    - I am sure that I am being extremely pessimistic in creating a second admin account.
    - I do not suppose that many people bother.
    - Accounts get corrupted in use [i.e. while you are logged into them] not while they are just sitting there.
    - I create a second admin account in case a catastrophe happens while I am using the first one & it gets corrupted.
    - Whilst there is no definitive list of causes for user profile corruption, it is commonly thought to happen when the computer crashes or if the computer is deliberately forced off while an account is in use [e.g. if the computer is frozen and you cannot turn it off the normal way].
    - I never use the second one so I do not believe that it could be already-corrupted if I ever did need to use it.

    Denis
      My Computer
    Quote Quote

 

  Related Discussions
My computer has C and D drive. Is it possible to create a new local user account which has an entire new desktop to itself and has no access to C & D drive ? Currently, the new local user account I created still has access to quite a number of...
After reinstalling Windows 10, I created a local Admin user account just enough for me to install some apps and set things up. After that, I created another local Admin account. Now, I need to downgrade my current Admin account (which I created...
Standard Local user Account issue
in User Accounts and Family Safety

Since upgrading within Windows 10, I've since noticed that I am unable to access my additional user accounts. My main account is fine and have no issue. When I go to log in to additional user account, i click sign in (no password set up for...
Hello guys, Please help me find a way to solve my problem. Yesterday when I first set up Win10 I have created a windows account with my email. Soon after I have realized that my C:\Users\... folder was messed up, it was a shorter version of my...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 14:17.
Find Us




Windows 10 Forums