A member of the Administrators group can use the Cacls.exe utility to modify the discretionary access control List (DACL) of the Tasks folder and grant a member of any group permission to create or to modify scheduled tasks. If a member of the Administrators group uses the Cacls.exe utility to modify the DACL of the Tasks folder, a user may be able to use the schtasks
command to create a scheduled task to run in the security context of a user account that has more user rights, including administrative rights. However, if the user creates a second scheduled task to run under the same user account that has more rights, the user receives a message that is similar to the following, where taskname
is the name of the task: The scheduled task is created, but the user name and password account information are not configured for the task.
For more information about how to use the Cacls.exe utility to modify a DACL, visit the following Microsoft Web site: